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I. REAL PARTY IN INTEREST 

The real party in interest in the present appeal is the Assignee, Sony Corporation, a 
Japanese Corporation. The Assignment was recorded in the U.S. Patent and Trademark Office at 
Reel 012818, Frame 0493 on April 15, 2002. 



II. RELATED APPEALS AND INTERFERENCES 

There are no related appeals and no related interferences. 
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III. STATUS OF CLAIMS 

Claims 1-9 are pending in this application. The present Appeal is directed to claims 1-9 
that were rejected under 35 U.S.C. § 103(a) as being unpatentable over Fan (U.S. Patent 
No. 6,219,706) in view of Abadi (U.S. Patent No. 5,315,657) in a final office action dated 
December 27, 2005. 

IV. STATUS OF AMENDMENTS 

There are no pending amendments. However, Appellant reserves the right to submit an 
amendment to correct noted typographical errors that do not affect the appeal. 

V. SUMMARY OF CLAIMED SUBJECT MATTER 

The invention is directed to a network connection control apparatus and method for 
granting or rejecting access when a device on a global network demands access to services 
provided on a local network. (See page 8, line 10 through page 9, line 21.) The method 
comprises the steps of authenticating the device on the global network in response to a service 
access request message (see page 14, lines 2-12 and steps SI and S2 in Fig. 3); creating an access 
permission entry in response to an access request from the authenticating device (see page 14, 
line 16 through page 15, line 9 and step S4 in Fig. 3) and adding the access permission entry to 
an access permission list (see page 15, lines 10-11 and step 5 in Fig. 3); and determining, upon 
receiving a data packet from a device on the global network, whether or not the data packet 
should be transferred to the local network based on information extracted from the header of the 
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data packet and on the access permission entry contained in the access permission list (see 
page 16, line 1 1 through page 17, line 1 1 and steps SSI and SS2 in Fig. 5). 

VI. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

Claims 1-9 stand rejected under 35 U.S.C. § 103(a) as obvious over Fan (U.S. Patent 
No. 6,219,706) in view of Abadi (U.S. Patent No. 5,315,657). 

VII. ARGUMENT 

Claims 1-9 are patentable over Fan in view of Abadi. 
A. The Claimed Invention 

Claim 1 is directed to a network connection control apparatus for granting or rejecting 
access when a device on a global network demands access to services provided on a local 
network. The network connection control apparatus comprises authentication means, access 
permission entry creating means, and control means. The authentication means authenticates the 
device on the global network in response to a service access request message. The access 
permission entry creating means creates an access permission entry in response to an access 
request from the device authenticated by the authentication means, and adds the access 
permission entry to an access permission list. Upon receiving a data packet sent from the device 
on the global network, the control means determines whether or not the data packet should be 
transferred to the local network based on information extracted from the header of the data 
packet and on the access permission entry contained in the access permission list. 

Claims 2-6 depend from claim 1. 
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Claim 7 is directed to a network connection control method for granting or rejecting 
access when a device on a global network demands access to services provided on a local 
network. The method comprises the steps of authenticating the device on the global network in 
response to a service access request message; creating an access permission entry in response to 
an access request from the authenticated device and adding the access permission entry to an 
access permission list; and determining, upon receiving a data packet from a device on the global 
network, whether or not the data packet should be transferred to the local network based on 
information extracted from the header of the data packet and on the access permission entry 
contained in the access permission list. 

Claims 8-9 depend from claim 7. 

B. Claims 1-9 Are Patentable 

In the Final Office Action, claims 1-9 were rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Fan (U.S. Patent No. 6,219,706) in view of Abadi (U.S. Patent No. 5,315,657). 
The Examiner has not made an adequate showing to support his rejections. 

Fan is directed to an access control for networks. Fan discloses a firewall that may 
inspect each packet within a data flow to ensure that the packets meet the criteria established by 
a user's security policy. (See col. 7, lines 35-37). The Examiner agrees that Fan does not 
disclose or suggest authenticating a device on the global network in response to a service access 
request message. (See Final Office Action at 3). 

Abadi is directed to compound principles in access control lists. In Abadi, the user 
initially establishes a communications channel over which it wishes to converse with the system 
resource. (See col. 5, line 34 through col. 6, line 3). This initiates the authentication process 
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where the user must demonstrate knowledge of a particular private key. (See col. 4, lines 61-64). 
The entity receiving the authentication request must accurately be able to determine that 
knowledge of a particular private key implies a particular principle name. (See col. 4, lines 64- 
67). The user may then make a request of a resource. Access to system resources is control by 
access control lists associated with each system resource. (See col. 4, lines 7-10). When a user 
makes a request of a resource, the reference monitor for that resource looks for the requesting 
user on that resources access control list, and if the user's name is found, the requested access is 
granted. (See col. 4, lines 10-16). The request for a resource occurs after the communication 
channel is already established. Thus, the authentication request in Abadi does not include a 
request for service from the network, as the Examiner claims in the Advisory Action. Because 
the user in Abadi does not send a service access request message (i.e., a message notifying the 
gateway of the service requested by the terminal device on the global network), Abadi does not 
disclose or suggest authenticating the device on the global network in response to a service 
access request message, as required by the claims. 

For the reasons set forth above, neither Fan nor Abadi discloses or suggests 
authenticating a device on the global network in response to a service access request message, as 
required by the claims. Thus, it would not have been obvious to one of ordinary skill in the art at 
the time of the invention to combine the teachings of Fan and Abadi to derive claims 1-9. 
Accordingly, Appellant respectfully submits that claims 1-9 are allowable over Fan in view of 
Abadi. 
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C. Conclusion 

Appellant respectfully submits that the subject matter of the claims on appeal is not 
disclosed or suggested by Fan or Abadi. Thus, the Examiner has not made an adequate showing 
of obviousness with respect to the subject matter of the rejected claims. Appellant, therefore, 
respectfully requests reversal of the Examiner's decision to reject claims 1-9 under 35 U.S.C. 
§ 103(a) as being unpatentable over Fan in view of Abadi, and respectfully requests allowance of 
all pending claims. 



Respectfully submitted, 



Dated: June 26, 2006 
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Chicago, Illinois 60606-1080 
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VIII. CLAIMS APPENDIX 

1 . (Previously Presented) A network connection control apparatus for granting or 
rejecting access when a device on a global network demands access to services provided on a 
local network, comprising: 

authentication means for authenticating the device on said global network in response to 
a service access request message; 

access permission entry creating means for creating an access permission entry in 
response to an access request from the device authenticated by said authentication means, and 
adding said access permission entry to an access permission list; and 

control means which, upon receiving a data packet sent from the device on said global 
network, determines whether or not said data packet should be transferred to said local network 
based on information extracted from the header of said data packet and on the access permission 
entry contained in said access permission list. 

2. (Original) A network connection control apparatus according to Claim 1, wherein 
said access permission entry creating means extracts access information from an access request 
packet transmitted from the authenticated device, thereby creating an access permission entry 
containing a source IP address, a destination IP address, a source port number, a destination port 
number and a last access permission time. 

3. (Original) A network connection control apparatus according to Claim 1, wherein 
said control means extracts a source IP address, a destination IP address, a source port number 
and a destination port number from the header of the data packet transmitted from the device on 
said global network, compares these extracted items of information with the information about 
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the access permission entry contained in said access permission list, and transfers said data 
packet to said local network if the two pieces of information correspond in all of the source IP 
address, destination IP address, source port number and destination port number. 

4. (Original) A network connection control apparatus according to Claim 1, wherein 
said control means eliminates the access permission entry corresponding to a relevant access 
from said access permission list in accordance with an access termination notification from the 
device on said global network. 

5. (Original) A network connection control apparatus according to Claim 1, wherein 
said control means calculates the length of time which elapsed from the last access based on a 
last access permission time stored in the access permission entry which corresponds to the time 
at which the data packet was received from the device on said global network, and eliminates the 
access permission entry from said access permission list when the elapsed time exceeds a 
predetermined reference time. 

6. (Original) A network connection control apparatus according to Claim 1, further 
comprising storage means for storing said access permission list. 

7. (Previously Presented) A network connection control method for granting or 
rejecting access when a device on a global network demands access to services provided on a 
local network, comprising the steps of: 

authenticating the device on said global network in response to a service access request 
message; 

creating an access permission entry in response to an access request from the 
authenticated device and adding the access permission entry to an access permission list; 
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determining, upon receiving a data packet from a device on said global network, whether 
or not said data packet should be transferred to said local network based on information extracted 
from the header of said data packet and on the access permission entry contained in said access 
permission list. 

8. (Original) A network connection control method according to Claim 7, wherein, 
in the step of creating the access permission entry, access information is extracted from an access 
request packet transmitted from the authenticated device, so that an access permission entry can 
be created which contains a source IP address, a destination IP address, a source port number, a 
destination port number and a last access permission time. 

9. (Original) A network connection control method according to Claim 7, wherein a 
source IP address, a source port number, a destination IP address and a destination port number 
are extracted from the header of the data packet transmitted from the device on said global 
network, and the extracted items of information are compared with information about the access 
permission entry contained in said access permission list, whereby said data packet is transferred 
to said local network if the two pieces of information correspond in all of the source IP address, 
destination IP address, source port number and destination port number. 
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X. EVIDENCE APPENDIX 

Appellant attaches hereto copies of the patents to (1) Fan (U.S. Patent No. 6,219,706), 
and (2) Abadi (U.S. Patent No. 5,315,657), which were relied upon by the Examiner in his 
rejection entered on December 27, 2005. 
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ABSTRACT 



An access control system (a firewall) controls traffic to and 
from a local network. 'Die system is implemented on a 
dedicated network device such as a router positioned 
between a local network and an external network, usually 
the Internet, or between one or more local networks. In this 
procedure, access control items are dynamically generated 
and removed based upon the context of an application 
conversation. Specifically, the system dynamically allocates 
channels through the firewall based upon its knowledge of 
the type of applications and protocol (context) employed in 
the conversation involving a node on the local network. 
Further, the system may selectively examine packet pay- 
loads to determine when new channels are about to be 
opened. In one example, the firewall employs different rules 
for handling SMTP (e-mail using a single channel having a 
well-known port number) sessions, FTP sessions (file trans- 
fer using a single control channel having a well known port 
number and using one or more data channels having arbi- 
trary port numbers), and H.323 (video conferencing using 
multiple control channels and multiple data channels, which 
use arbitrary port numbers) sessions. 

37 Claims, 11 Drawing Sheets 
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ACCESS CONTROL FOR NETWORKS 

BACKGROUND OF THE INVENTION 

This invention relates to network firewalls for controlling 
external access to a particular local network. More 5 
particularly, the invention relates to network firewalls hav- 
ing dynamic access control lists. 

Firewalls were developed to protect networks from unau- 
thorized accesses. Hackers, corporate spies, political spies, 
and others may attempt to penetrate a network to obtain 10 
sensitive lniormation or disrupt the functioning of the net- 
work. To guard against these dangers, firewalls inspect 
packets and sessions to determine if they should be trans- 
mitted or dropped. In effect, firewalls have become a single 
point of network access where traffic can be analyzed and 15 
controlled according to parameters such as application, 
address, and user, for both incoming traffic from remote 
users and outgoing traffic to the Internet. 

Firewalls most commonly exist at points where private 
networks meet public ones, such as a corporate Internet 
access point. However, firewalls can also be appropriate 
within an organization's network, to protect sensitive 
resources such as engineering workgroup servers or finan- 
cial databases from tl / 1 ;ers. 

Firewalls protect by a variety of mechanisms. Generally, 
state-of-lhe art firewall technology is described in "Building 
Internet Firewalls" by D. Brent Chapman and Elizabeth D. 
Zwicky, O'Reilly and Associates, Inc. which is incorporated 
herein by reference for all purposes. 3Q 

One firewall mechanism involves "packet filtering." A 
packet filtering firewall employs a list of permissible packet 
types from external sources. This list typically includes 
information that may be checked in a packet header. The 
firewall checks each inbound packet to determine whether it 35 
meets any of the listed criteria for an admissible inbound 
packet. If it does not meet these criteria, the firewall rejects 
it. A similar mechanism may be provided for outbound 
packets. 

Often, the firewall maintains the access criteria as an 40 
access control list or "ACL." This list may contain network 
and transport layer information such as addresses and ports 
for acceptable sources and destination pairs. The firewall 
checks packet headers for source and destination addresses 
and source and destination ports, if necessary, to determine 45 
whether the information conforms with any ACL items. 
From this, it decides which packets should be forwarded and 
which should be dropped. For example, one can block all 
User Datagram Protocol ("UDP") packets from a specific 
source IP address or address range. Some extended access 50 
lists can also examine transport-layer information to deter- 
mine whether to forward or block packets. 

While packet filtering is a very fast firewall technology, it 
is not, unfortunately, very good at handling protocols that 
create multiple channels or do not necessarily employ well- 55 
known port numbers. A channel is typically defined by a 
source address, a destination address, a source port number, 
and a destination port number. In Transport Control Protocol 
("TCP"), a channel is referred to as a connection. For some 
protocols, such as SMTP (electronic mail), only a single 60 
well-known destination port is used. Conversations involv- 
ing these protocols involve only a single channel. For such 
cases, the packet filtering mechanism will include an ACL 
item defining allowed accesses using the well-known port 
number. Because this well-known port number never 65 
changes, the ACL item can be set initially and left 
unchanged during the life of the firewall. Other protocols do 
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not necessarily use well-known port numbers. In these cases, 
the port number is assigned dynamically. That is, for each 
new session a different port number may be assigned. 
Obviously, in these cases, a static packet filtering mecha- 
nism must either block all use of this protocol or allow all 
use, regardless of port number. This represents a significant 
limitation of standard packet filtering mechanisms. 

In addition to single channel protocols, a variety of 
multi-channel protocols are known and others are being 
developed. For example, the File Transfer Protocol ("FTP") 
sets up a control channel using a well-known port and a data 
channel using a variable port number. The control channel is 
used to initiate the FTP connection between the clients and 
a server. Via this control channel, the client and server 
negotiate a port number for a data channel. Once this data 
channel is established, the file to be retrieved is transmitted 
from the server to the client over the data channel. Other 
newer protocols such as the H.323 protocol used for video 
conferencing employ multiple control channels and multiple 
data channels such as channels for transmission of audio 
information and channels for transmission of video infor- 
mation. The port numbers for these data channels can not be 
known ahead of time. Static packet filtering mechanisms 
have difficulty handling FTP and most multi-channel pro- 
tocols. 

Another approach to firewall designs is employed in a 
"Stateful Inspection" firewall provided by Check Point 
Software Technology Ltd. In this approach, the firewall 
inspects not only the packet header but also the packet 
payload. This allows for the possibility of identifying chan- 
nels in which the port number or numbers are set by the 
communicating nodes during a conversation. Specifically, 
the port numbers of channels about to be opened may be 
specified in the payload or payloads of packets transmitted 
over a control channel for a conversation. By inspecting 
packet payloads in a control channel, the firewall can open 
a temporary channel corresponding to the port numbers 
agreed upon by the nodes establishing the session. When the 
session is terminated, the firewall can reseal the channel 
associated with those port numbers. 

Unfortunately, the firewall implemented by Check Point 
resides on a PC or a workstation host. Such host must be 
positioned at the interface of a local network and an external 
network. Typically, it must be used in conjunction with a 
router. This configuration limits the flexibility and efficiency 
of the firewall. 

For the above and other reasons, it would be desirable to 
have an improved firewall design. 

SUMMARY OF THE INVENTION 
The present invention addresses this need by providing an 
access control system and method for controlling traffic to 
and from a local network. The system and procedures of this 
invention are preferably implemented on a dedicated net- 
work device such as a router positioned between a local 
network and an external network, e.g., the Internet, or 
between one or more local networks. In this procedure, 
access control items are dynamically generated and removed 
based upon the context of an application conversation. 
Specifically, the procedures of this invention may dynami- 
cally allocate channels through the firewall based upon its 
knowledge of the type of application and protocol (context) 
employed in the conversation involving a node on the local 
network. Further, the procedure may selectively examine 
packet payloads to determine when new channels are about 
to be opened. In one example, the system employs different 
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rules for handling SMTP (e-mail using a single channel 
having a well-known port number) sessions, FTP sessions 
(file transfer using a single control channel having a well 
known port number and using one or more data channels 
having arbitrary port numbers), and H.323 (video confer- 
encing using multiple control channels and multiple data 
channels, which use arbitrary port numbers) sessions. 

One aspect of the invention pertains to methods of lim- 
iting access to a local network. The methods may be 
characterized by the following sequence: (a) receiving a 
packet; (b) identifying an application associated with the 
packet; (c) determining whether the packet possesses a 
predefined source or destination address or port; (d) deter- 
mining whether the packet meets criteria for a current state 
of a TCP or UDP session with which it is associated; (e) 
determining whether to examine the payload of the packet; 
and (f) examining the packet payload. The method may also 
include various other operations such as determining 
whether the packet sequence number falls within a defined 
sequence window and determining whether the packet has 
been received after a predetermined timeout period has 
elapsed. 

The process of determining whether the packet meets 
criteria for a current state may involve determining whether 
any state transition associated with a TCP or UDP session 
follows an expected sequence of state transitions (e.g., a 
TCP FIN packet is received after a session is open). The 
process of determining whether to examine the payload may 
involve determining whether the payload may contain an 
intrusion signature. In a specific embodiment, that involves 
determining whether the packet is an FTP packet, an RPC, 
a TFTP packet, or a SMTP packet. If the system identifies an 
intrusion signature in the packet payload of such packet, it 
will drop the packet. The process of determining whether to 
examine the payload may also involve determining whether 
an additional channel of unknown port number may be 
opened (e.g., the connection is an FTP control channel or an 
H.323 channel when less than all data channels have been 
opened). Assuming that the system determines that an addi- 
tional channel could be opened, it examines the packet 
payload to identify a port negotiation command. If such port 
negotiation command is detected, the system may dynami- 
cally modify an access control list to create a path for the 
additional channel. 

The system may also detect when a packet initiates a new 
session (e.g., it is a TCP SYN packet). When this occurs, the 
method may involve (i) creating a state entry (e.g., a data 
structure) for the new session; and (ii) creating one or more 
access control items allowing passage of packets from a 
node identified in the packet initiating the new session. 

Another aspect of the invention pertains to network 
devices such as routers which may be characterized by the 
following features: (a) two or more interfaces configured to 
connect with distinct networks or network segments; (b) a 
memory or memories configured to store (i) one or more 
access control criteria for allowing or disallowing a packet 
based upon header information and (ii) information speci- 
fying the content of an application conversation; and (c) a 
processor configured to compare packet header information 
with the access control criteria and determine whether to 
examine packet payloads based upon the context of the 
application conversation. The network device may include 
an operating system which controls the network device to 
perform functions necessary to control access to the local 
network and route network traffic. To facilitate rapid pro- 
cessing of packets, the network device may include at least 
two processors, at least one of which is associated with one 
of the interfaces. 
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The memory may be configured to store the access control 
criteria in the form of an access control list. It may also be 
configured to store state information such as the state of at 
least one of a TCP session and a UDP session. It may further 
5 be configured with information specifying the context of an 
application conversation indicating whether a side channel 
may be opened for the application. 

The processor may be configured to examine packet 
payloads when context information in the memory indicates 
10 that a side channel may be opened. In such cases, the 
processor may initiate steps to dynamically modify the 
access control criteria when a new side channel opens. 

These and other features and advantages of the present 
invention will be presented in more detail below with 
13 reference to the associated drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a diagram illustrating how a firewall of this 
20 invention may be integrated in a network. 

FIG. 2 is a block diagram of a router that may be used in 
this invention. 

FIG. 3 is a block diagram of a computer architecture that 
may be employed with this invention. 
25 FIGS. 4-8 are flow charts depicting a preferred method by 
which the firewalls of this invention may protect a local 
network. 

FIG. 9 is diagram of a Slate Information Structure (a data 
30 structure) used in a preferred implementation of this inven- 

FIGS. 10A-10C depict an FTP session using a firewall/ 
router in accordance with an embodiment of this invention. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

1. System Structure and Architecture 
FIG. 1 illustrates a general arrangement by which a local 

40 network allows its hosts (e.g., a host 6) to communicate with 
external nodes located on an external network 8 such as the 
Internet. Typically local network 4 is connected to external 
network 8 via a router 10 which routes packets between 
external network 8 and local network 4. 

45 In this invention, router 10 may also double as a firewall 
that protects local network 4 from potentially dangerous 
accesses from external network 8. When acting as a firewall, 
a router 10 will, under certain circumstances, allow host 6 to 
initiate a conversation with an external node 12 that is 

50 connected to external network 8. If router/firewall 10 allows 
host 6 to initiate such a conversation, it must also allow 
appropriate return communications from node 12 to host 6. 
Details of how router/firewall 10 allows such conversations 
and yet protects the local network will be detailed below, in 

55 one embodiment. 

Generally, a firewall of this invention may be specially 
constructed for the required purposes, or it may be a 
general-purpose programmable machine selectively acti- 
vated or reconfigured by a computer program stored in 

60 memory. The processes presented herein are not inherently 
related to any particular router or other network apparatus. 
Preferably, the invention is implemented on a network 
device designed to handle network traffic. Such network 
devices typically have multiple network interfaces including 

65 frame relay and ISDN interfaces, for example. Specific 
examples of such network devices include routers and 
switches. For example, the firewalls of this invention may be 
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specially configured routers such as specially configured Regardless of network device's configuration, it may 
router models 1600, 2500, 2600, 3600, 4500, 4700, 7200, employ one or more memories or memory modules 
and 7500 available from Cisco Systems, Inc. of San Jose, (including memory 261) configured to store program 
Calif. A general architecture for some of these machines will instructions for the network operations and access control 
appear irom the description given below. In an alternative 5 functions described herein. The program instructions may 
embodiment, the firewall may be implemented on a general- specify an operating system and one or more applications, 
purpose network host machine such as a personal computer for example. Such memory or memories may also be Con- 
or workstation. Further, the invention may be at least par- figured to store access control criteria (e.g., an ACL), state 
tially implemented on a card (e.g., an interface card) for a information (specifying the context of a network session for 
network device or a general-purpose computing device. ]Q example), etc. 

Referring now to FIG. 2, a router 210 suitable for imple- Because such information and program instructions may 

menting the present invention includes a master central be employed to implement the access control systems/ 

processing unit (CPU) 262, low and medium speed inter- methods described herein, the present invention relates to 

faces 268, and high-speed interfaces 212. When acting under machine readable media that include program instructions, 

the control of appropriate software or firmware, the CPU . state information, etc. for performing various operations 

262 is responsible for such router tasks as routing table 13 described herein. Examples of machine-readable media 

computations and network management. It is also respon- include, but are not limited to, magnetic media such as hard 

sible for creating and updating an Access Control List, disks, floppy disks, and magnetic tape; optical media such as 

comparing incoming packets with the current Access Con- CD-ROM disks; magneto-optical media such as floptical 

trol List, generating State Information Structures, inspecting disks; and hardware devices that are specially configured to 

packet headers and payloads as necessary, enforcing the 20 slore and perform p r0 gram instructions, such as read-only 

state of a session etc. It preferably accomplishes all these memory devices (R0M ) and random access memory 

ZT°l™ ! th * T, °f s° ftwa « I " cl " dln 8^ L°P er : (RAM). Examples of program instructions include both 

r ! MT ( 1" S T " 8 y r m } f ° f machine code, such as produced by a compiler, and files 

w^° ^^'Si^de :T:;s°r; 25 —7* **« «* ^ i - ^ by , he 

chips 263 such as the Motorola MPC860 microprocessor, te , r ^ an interpreter. 

the Motorola 68030 microprocessor, or other available FIG - 3 ls a system diagram of router or other network 

chips. In a preferred embodiment, a memory 261 (such as dcvice 301 that may implement a firewall in accordance with 

non-volatile RAM and/or ROM) also forms part of CPU this . invention. As shown network device 301 includes 

262. However, there are many different ways in which various processes and paths that form part of an operating 

memory could be coupled to the system. 30 system for the network device. These may include configu- 

The interfaces 212 and 268 are typically provided as ration processes 303, timer processes 305, IP processes 307, 

interface cards (sometimes referred to as "line cards"). and interrupt paths 309. IP processes 307 and interrupts 309 

Generally, they control the sending and receipt of data are provided for routine packet handling functions as illus- 

packets over the network and sometimes support other . trated in the figure. In addition to these processes and paths, 

peripherals used with the router 210. The low and medium 33 network device 301 includes firewall code 311 for executing 

speed interfaces 268 include a multiport communications firewall functions in response to requests from processes 

interface 252, a serial communications interface 254, and a 303, 305, and 307 and interrupts 309. In a preferred 

token nng interface 256. The high-speed interfaces 212 embodiment, firewall code 311 may include both an engine 

include an FDDI interface 224 and a multiport ethernet that handles transport layer functions and various inspection 

interface 226. Preferably, each of these interfaces (low/ 40 mod^es, each of which is dedicated to handling a specific 

medium and high-speed) includes (1) a plurality of ports application protocol (e.g., FTP, H.323, etc.). In a further 

aDOronnate for communication with the fliinrnnnalR mprtin \- . ... v / 



■ . c . .. ■ , . . ^ .. auuii^auuu uiuiu^ui ic.g., r 1 1 , n.j^.}, eic.i. in a runner 

^££^£Z£^$sta r° ft nl hr 6 311 is f grated with 

processor (available from Advanced Micro Devices corpo- «>e remainder of the network device's operating system, 

ration of Santa Clara Calif.), and in some instances (3) 45 Flrewal1 code 3U ma y make use of various lists, data 
volatile RAM. The independent processors control such structures, and other stored information (collectively indi- 
communicalions intensive tasks as packet switching, media cated bv reference numeral 313 in FIG. 3). Examples 
control and management. By providing separate processors include access control lists, state information ' - 
for the communications intensive tasks, this architecture (described below), timers, and various lists, 

permits the master microprocessor 262 to efficiently perform 50 Regarding the operating system, it may require e> 
routing computations, network diagnostics, security °f c °de 311 under various circumstances associated with 
functions, etc. packet processing. In one example, configuration processes 

The low and medium speed interfaces are coupled to the 303 specify that the FTP protocol is to be inspected. Thus 
master CPU 262 through a data, control, and address bus processes 303 may ask code 311 to configure an access 

265. High-speed interfaces 212 are connected to the bus 265 55 contro1 Ust t0 allow initiation of an FTP session. Timer 
through a fast data, control, and address bus 215 which is in processes 305 may indicate to code 311 that a particular 
turn connected to a bus controller 222. The bus controller session has timed out. In this case, the firewall code 311 may 
functions are provided by a processor such as a 2901 bit slice delete anv state information structure for that session as well 
processor. as the associated ACL items. Still further IP processes 307 

Although the system shown in FIG. 2 is a preferred router 60 and interra P ts ™ may call firewall code 311 during the 
of the present invention, it is by no means the only router course of processing a packet to determine whether it meets 
architecture on which the present invention can be imple- certain ACL ltems or t0 determine whether its payload 
mented. For example, an architecture having a single pro- should be lns P ecte d. 
cessor that handles communications as well as routing 2. Firewall Process 

computations, etc. would also be acceptable. Further, other 65 Overview 

types of interfaces and media could also be used with the Network communications at high levels, such as at the 
rouler . application layer, may be referred to as "conversations." An 
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"application conversation" may have one or many "chan- 
nels" (also referred to as "sessions" or "socket pairs" ). 
These terms were chosen to cover at least TCP and UDP 
communications. In TCP, each channel represents a separate 
"connection." In UDP, which is connectionless, each chan- 5 
ncl is defined by a unique combination of source and 
destination IP addresses and port numbers. All UDP packets 
received within a defined timeout period and having the 
same unique combination of addresses and port numbers are 
deemed to belong to the same session or channel. 10 

An application conversation may include only a single 
well-known channel as in the case of SMTP, HTTP, and 
Telnet or it may contain many channels as in the case of 
certain multimedia applications (e.g., H.323 and 
RealAudio). Still other application conversations may have 15 
variable numbers of channels as in the case of FTP and TFTP 
which create a new data channel each time a different file is 
transferred from server to client. The present 
handles all of these situations. 

Like packet filtering, the access control of this 
examines network and transport-layer information. In 
addition, it examines application layer protocol information 
(such as FTP) to learn about and inspect the state of TCP or 
UDP sessions. This mechanism dynamically creates and 
deletes temporary openings in the firewall by temporarily 25 
modifying access lists to change packet filtering criteria. 
Preferably, the dynamically created access control list items 
are stored in memory in the network device's network 
interface. A firewall of this invention may also maintain state 
information in its own data structures (referred to herein as 30 
State Information Structures or "SISs") and use thai infor- 
mation to create the temporary entries (by dynamically 
modifying its ACL, for example). Thus, a firewall may retain 
state information that is not retained in the access list entries. 
A firewall may inspect each packet within a data flow to 35 
ensure that the state of the session and packets themselves 
meet the criteria established by a user's security policy. State 
information is used to make intelligent permit/deny deci- 
sions. When a session closes, its temporary ACL entry is 
deleted, and the opening in the firewall is closed. 40 

A firewall may monitor each application on a per- 
conneclion basis for comprehensive traffic control capabil- 
ity. The firewall watches application sessions, notes the ports 
each session is using and opens the appropriate channels for 
the duration of the session, closing them when the session is 45 
finished. Specifically, when a newly authorized session is 
registered, the system may create a new SIS and any new 
ACL items for the session. Thereafter, packets transmitted to 
and from the hosts involved in the connection are allowed to 
pass back and forth across the firewall so as long as the ACL 50 

The firewalls of this invention preferably consider the 
TCP or UDP session slate. In fact, a firewall may base 
decisions on the state of its sessions. To do so, it may 
maintain a record of the state of each connection going 55 
through. Also, the firewalls preferably keep track of items 
such as: how long was the last transmitted packet in this 
session, are the sequence/acknowledgment numbers climb- 
ing as expected, was the session initiated from the inside or 
outside, is the session still open or has it been closed, and 60 
what port or ports are the return data channels using? 

The firewalls of this invention may enable a firewall to 
support protocols that involve multiple data channels created 
as a result of negotiations in the control channel. As 
mentioned, many Internet and multimedia applications that 65 
use a "well-known" port address to open an initial control 
' in often use different, dynamically chosen porls for 



data traffic. It is impossible to predict which ports these 
applications may use in a given connection, and some of 
them may use multiple channels over several ports. Thus, 
depending upon the type of application conversation, the 
firewall may also monitor the payloads of the packets it 
allows to pass. This may be the case when, for example, a 
control channel connection is in a state in which ports for 
additional channels are negotiated over a control channel. 
This allows the firewall to determine which additional 
channels should be dynamically opened to the firewall. 
Security Access Policy 

Initially, an administrator or other authorized person may 
create a "security access policy" for the firewall. The pur- 
pose of this policy is to generally define how to protect the 
local network. Often the policy will protect the network 
from all uninvited sessions iniliatcd externally. In such 
cases, the policy may specify which local nodes may par- 
ticipate in conversations outside the local network and the 
protocols under which those conversations may take place. 
In addition, the security access policy may specify particular 
times when access will be permitted to particular users 
operating under particular protocols. For example, it may be 
desirable to provide a security access policy in which certain 
users cannot communicate outside the local network during 
nonbusiness hours. 

A security access policy typically will specify that few if 
any uninvited packets from outside the local network are 
permitted lo enter. Then when a local node initiates a 
conversation with an external node, the firewall must antici- 
pate that packets in response will be addressed lo the local 
node. It does this by adjusting its ACL to include items 
allowing passage of certain packets having Ihe exlemal 
node's address. 

While a typical security access policy will allow no 
uninvited packets from external sources, some policies may 
allow some limited conversations initiated by external 
nodes. Such policies may place restrictions on the protocols 
that could be used by any external nodes initialing a con- 
versation. 

Various combinations of matching (or not matching) 
packet header fields can be used lo support a policy. 
Examples of specific fields that may be examined include IP 
destination address, IP source address, IP protocol field, TCP 
source port, TCP destination port, TCP flags field, SYN 
alone for a request to open a connection, SYN/ACK for a 
connection confirmation, ACK for a session in progress, and 
FIN for session termination. All or some of that information 
may be compared against an ACL and/or used by the firewall 
engine to determine whether the packet is appropriate given 
the current state of the session. 

In a specific example, an access control list item may 
specify the addresses of the communicating hosts (or the 
sub-networks of one or both of these hosts) and the protocol 
under which they communicate (identified by a port number 
for example). More specifically, for example, if Ihe security 
access policy prevents SMTP sessions initiated from IP host 
1.1.1.1. with a destination address 2.2.2.2. then the packet 
filter would discard packets that have IP destination 
address=2.2.2.2., IP source address=l. 1.1.1., IP protocol=6 
(for TCP), and Destination port=25 (for SMTP). Such cri- 
teria may represent static Access Control List items. 

The access policy may also restrict a given interface on 
the router or other network device implementing the firewall 
of this invention . The interface may specify a particular type 
of media such as FDDI, Ethernet, Token Ring, etc. Other 
fields may be considered; the policy may add a check "ACK 
bit not set" to guard against the connection being a non- 
SMTP connection initiated outgoing from port 25, for 
example. 
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Similarly, packet filters may be employed for other pro- 
tocols such as Novell IPX and Apple Talk protocols, because 
their formats are well documented and understood. 
Process Flow Details 

One implementation of the present invention is detailed in 
the process flow charts depicted in FIGS. 4-8. FIG. 4 
presents a high level overview of the process. This particular 
implementation of the process is referred to by a reference 
number 400. The process begins at 402 and receives a new 
packet at the firewall at a step 404. Note that a packet may 
be associated with a session that has "timed out." Timeout 
criteria are further detailed in a process flow diagram pre- 
sented in FIG. 7. Briefly, if there is too much time between 
receipt of consecutive packets belonging to the same 
session, the firewall will not allow the subsequent packets of 
the session to pass. 

Assuming that the current packet meets the timeout 
criteria, the firewall next determines whether it meets addi- 
tional authorization criteria at a decision step 406. These 
criteria may include such items as the time of day when 
packets can be sent, source and destination IP addresses, 
protocols to which the packets may belong (identified by 
port numbers), and combinations thereof. Such authoriza- 
tion criteria may take the form of ACL items. Most, if not all, 
of this information may be obtained by examining the packet 
header in the manner of a traditional packet filter. The ACL 
items may be divided into static items and dynamic items. 
Static items usually result directly from the user's security 
access policy (as described above). Dynamic items may be 
generated on the fly, typically to allow return traffic for 
sessions or applications initiated with nodes on the local 
network. 

If the firewall determines at decision step 406 that the 
packet is not authorized, it drops the packet at step 408. 
Optionally, the packet is logged at this point. If, on the other 
hand, the firewall determines that the packet is authorized at 
decision step 406, it next determines whether the packet is 
mapped to a currently existing state information structure 
("SIS"). As detailed below, these are data structures that 
maintain "state" information about a currently existing ses- 

If the firewall determines that no corresponding SIS exists 
for the current packet, it next determines whether the packet 
is a UDP or a TCP SYN packet of a configured protocol at 
a decision step 412. For TCP protocols, a request for a new 
connection is made with a SYN packet. If the firewall 
determines that the current packet is not a UDP packet or a 
TCP SYN packet of a configured protocol (i.e., decision step 
412 is answered in the negative), it simply passes that packet 
on to the destination. If, on the other hand, the firewall 
determines at decision step 412 that the current packet is in 
fact a UDP or TCP SYN packet of the appropriate protocol, 
it realizes that a new connection is being opened and should 
be watched. Therefore, it creates a new SIS at a step 416. It 
concurrently adds any necessary ACL items to ensure that 
return traffic (from the destination) can pass through the 
firewall, assuming that such return traffic meets other secu- 
rity criteria. The steps of creating a new SIS and associated 
ACL items will be further detailed in a process flow chart 
depicted in FIG. 6. 

Note that not all protocols are necessarily monitored as 
sessions (configured protocols). The network administrator 
may decide that some protocols (e.g., HTTP) need not be 
monitored. For such protocols, the firewall understands that 
no SIS need be created when it encounters a packet of such 
protocol. It simply passes the packet as indicated in step 414. 
This does not necessarily create a security issue as the packet 
must still be authorized at step 406. 
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After the firewall creates the new SIS and associated ACL 
items at step 416, it further processes the packet at a step 
418. Similarly, if the firewall determines that the packet it 
receives is currently mapped to an SIS at decision step 410 

5 (i.e., decision step 410 is answered in the affirmative), it 
processes the packet per step 418. Step 418 is further 
detailed in FIG. 5. After the packet has been processed 
according to this procedure, the firewall directs process 
control back to step 404 where it awaits the next packet. 

to Turning now to FIG. 5, the process associated with step 
418 is detailed. This process begins at 502 (corresponding to 
either step 410 or step 416 in process 400) and follows with 
a decision step 504 in which the firewall determines whether 
a TCP connection is being terminated. This is determined by 

is simply identifying an appropriate termination flag in the 
packet header. These flags may be either the finish (FIN) flag 
or the reset (RST) flag. Assuming that the firewall deter- 
mines that the TCP connection is being terminated, it then 
transitions to a closing or closed stale at a step 506. At the 

20 appropriate time or upon receipt of a final packet for the 
connection, the SIS for that connection is terminated and the 
associated ACL items for that connection are also deleted. At 
this point, the system may also provide an audit trail which 
details connections by recording time stamps, source hosts, 

25 destination hosts, ports, total number of bytes transmitted, 

If the firewall determines at decision step 504 that the TCP 
connection is not to be terminated, it next determines 
whether the packet meets certain security criteria at a step 

30 508. It may do this by examining the packet header. These 
security criteria are typically associated with the particular 
session to which a packet may belong. Examples include 
ensuring that the packet sequence number falls within a 
defined range of sequences (a "sequence window"), the 

35 packet type is as expected for a given session state, and the 
packet header meets ACL items associated with the particu- 
lar session. The state of a given session may be enforced by 
ensuring that state transition packets arrive in the expected 
order (e.g., a SYN packet is not received while a TCP 

40 session is in an "open" state.) If the firewall finds that the 
current packet does not meet the criteria specified at step 
508, it drops the packet and optionally issues an alert at a 
step 510. 

Assuming that the packet meets the security criteria, as 
45 determined at step 508, the firewall next parses the packet 
payload if necessary as indicated at process step 512. The 
parsing procedure is further detailed in a flow chart depicted 
in FIG. 8. After the payload parsing is completed, if needed, 
the firewall may next update the current session state at a 
50 step 514. It may do this if the current packet indicates a state 
transition. 

In one specific embodiment, there are four states for a 
TCP connection: closed, opening, open, and closing. The 
transition between closed and opening may occur when a 

55 SYN packet is received for a new session. The transition 
between opening and open states may occur when a SYN/ 
ACK packet is received. The transition to a closing state may 
occur when a FIN packet is received. Finally, the transition 
to the closed state may occur upon receipt of a reset packet. 

60 In a specific embodiment, UDP communications include the 
following states: opening, open, and closed. The transition to 
opening occurs when a first UDP packet for a new session 
is received. That is, when a UDP packet is received for 
which there is no existing SIS. The transition from opening 

65 to open occurs when the first reply packet to an initial UDP 
packet is received. The transition to closed occurs when a 
UDP session times out. 
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Note thai in step 508, the system may drop the packet if 
it does not meet expected state criteria. Such criteria may 
require that state transitions follow an expected sequence: 
e.g., closed, opening, open, and closing for TCP sessions. 
The system might then drop FIN packets received while a 5 
TCP session is in the closed state or it might drop SYN 
packets while a TCP session is in the open or closing state. 

Step 514 may also involve updating the sequence window 
for a current session based upon the sequence number of the 
current packet. The size of the sequence window may be 10 
dictated by the network traffic. In a specific embodiment, the 
sequence window is set at about 1 to 2000 for congested 
networks and at about 7000 to 9000 for uncongested net- 
works. Preferably, the firewall tracks the sequence number 
of the packets it receives and the acknowledged sequence 15 
number of TCP connections. When the sequence number of 
a transmitted packet is not in an expected window range as 
defined based upon the acknowledged sequence window, the 
packet will be dropped (step 510). The sequence number of 
the most recent ACK packet may be maintained in the SIS 20 
to define the sequence window of allowable packet sequence 
numbers. Other bookkeeping tasks may be performed at step 
514 and updated in the appropriate fields of the SIS. 

Finally, after any necessary updates are performed at step 

514, the firewall forwards the packet to its destination at a 25 
process step 516 and the process is completed at 518 
(corresponding to step 404 in process 400). 

The process associated with creating a new SIS and 
adding any new ACL items to ensure return traffic (step 416 
of process 400) is depicted in FIG. 6. The process begins at 30 
602 (corresponding to decision step 412 of process 400). 
Then, if the current packet matches a "pre-gen SIS" 
(described below), the system updates the ACL items of the 
pre-gen SIS and may create one or more output ACL items 
(if warranted). This is accomplished at a process step 604. 35 

A pre-gen SIS is created when the firewall determines that 
a side channel or data channel is about to be opened. As 
explained below, this determination may be made when 
packet payloads of certain protocols are examined. When the 
firewall finds a payload marker suggesting that a side/data 40 
channel is about to be opened, it prepares for the new 
connection (associated with the new channel) by creating a 
precursor (pre-gen) SIS. At this point, the firewall may only 
know the destination port (as indicated by a port negotiation 
command in the payload). The ACL items created for the 45 
pre-gen SIS may specify this destination port, but they 
cannot specify the source port, as this is as yet unknown. The 
second port can be specified when the firewall receives the 
SYN packet for the new side channel. Such SYN packet will 
specify the source port and this information may now be 50 
added to ACL associated with the pre-gen SIS at step 604. 
If the packet under consideration does not match a pre-gen 

515, step 604 is skipped. 

Next, at a step 606, the firewall creates a fresh SIS (for a 
current UDP or TCP SYN packet) and initializes its fields. 55 
If the new SIS is created based upon a pre-gen SIS, some of 
the initial information is taken from the pre-gen SIS. Finally, 
at a step 608, the firewall creates one or more ACL items to 
ensure return traffic is permitted for the new session. Note 
that if a pre-gen SIS existed, the ACLs may have been 60 
created at step 604. Without these new ACL items, it is likely 
that return traffic (presumably from the external network) 
would be blocked. The new ACL items will typically allow 
packets from the external node IP address to a local node IP 
address (as identified in the initial TCP SYN or UDP packet 65 
for the SIS) and the associated port number. The process is 
concluded at 610 (corresponding to step 418 of process 400). 



The timeout provisions are detailed in FIG. 7. These 
provisions were discussed above with reference to step 404 
of process 400. Preferably, the timeout provisions are imple- 
mented via interrupts and can be triggered at any stage in the 
firewall process. These provisions are designed to end a 
session if there is too great a delay between successive 
packets in that session. Leaving a firewall passage open for 
too long a time exposes the local network to a potential 
security problem. 

The process begins at 702 (corresponding to step 402 of 
process 400) and includes a decision step 704 in which the 
firewall determines whether there has been a timeout since 
the last valid packet was received for the session represented 
by an SIS. In a specific embodiment, the timeout is 30 
seconds between successive UDP packets and 3600 seconds 
between successive TCP packets. Preferably, these timeout 
periods are configurable. If the firewall determines that the 
timeout period has been exceeded (by receipt of an interrupt 
for example), it ends the session and deletes the associated 
SIS and ACL items at a process step 706. If, on the other 
hand, the timeout period has not been exceeded (decision 
step 704 is answered in the negative), the firewall restarts the 
appropriate timer when the next packet for that session is 
received. See process step 708. The process is then com- 
pleted at 710 which corresponds to step 406 in process 400. 

To provide a flexible but secure firewall, a security 
algorithm must examine packet payloads. Preferably, the 
payload is examined under only certain conditions. By 
preventing the payload from being examined in all cases, the 
performance of the system is improved. In a preferred 
embodiment, the payload is only examined under two cir- 
cumstances. First, the payload may be examined to identify 
any intrusion signatures. Certain types of intrusion attempts 
may be detected by comparing payloads with well-known 
intrusion signatures. In a specific embodiment all packets of 
FTP, RPC, TFTP, and SMTP are examined for intrusion 
signatures. Packet payloads of other protocols are not exam- 
ined for such signatures in this specific embodiment. 

Second, the payload is examined when there is a possi- 
bility that an additional channel may be opened. When this 
is a possibility, the firewall of this invention watches packet 
payloads 10 determine whether a port negotiation command 
has been detected. As noted, some application conversations 
involve multiple channels. Often there are one or more 
control channels and one or more data channels. H.323 
video conferencing, for example, includes up to three con- 
trol channels and four data channels. One data channel 
involves transmission of audio data from a first party, 
another data channel involves transmission of video data 
from the first party, another data channel involves transmis- 
sion of audio data from a second party, and the final data 
channel involves transmission of video data from the second 
party. Each new data channel includes a port number that 
can not be known ahead of time. Each new channel requires 
a dynamic adjustment of the firewall to temporarily allow 
data to pass via that channel. The generation of a new 
channel is prefaced by a "port negotiation command" in a 
control channel. 

In a preferred embodiment, only the payloads of control 
channels are examined for port negotiation commands. This 
is because data channel payloads do not indicate that addi- 
tional channels may be opened. Further control channel 
payloads are examined only when there is a possibility that 
an additional channel may be opened. In a H.323 
conversation, for example, when all seven channels have 
been opened, there is no need to further monitor the pay- 
loads of the control channels. And, in a NetMeeting 
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videoconference, the system preferably inspects the TCP 
control channel used to establish media channels. This 
control channel contains information that opens new media 
channels. The system watches it to identify those ports that 
media channels use and opens additional channels on a 5 
dynamic basis. The media and media control channels for 
audio and video are not inspected or monitored, because 
these channels only transport data and cannot open addi- 
tional channels. This maximizes router and network perfor- 
mance to assure proper delivery of time-sensitive data. 10 

In a specific embodiment, the firewall engine and asso- 
ciated application modules contain the intelligence to know 
when to watch payloads for new channels. When a port 
negotiation command is delected, the firewall recognizes 
that a data channel defined by port numbers for the com- is 
municating nodes is about to be established. In the payload, 
it detects the identity of one port of the data channel through 
which data will be transmitted in the a first direction. At this 
point, the firewall of this invention creates an ACL item for 
that port. The other port number of a new channel is 20 
identified in the header of the first packet following a port 
negotiation command that specifies the negotiated port. That 
packet is allowed through, and from its port number, the 
firewall creates another ACL item that together with the 
previously created ACL item defines the new data channel. 25 

The process of overall process of parsing a payload (step 
512 of process 418) is detailed in FIG. 8. As shown there, the 
process begins at 802 (corresponding to decision step 508 of 
process 418) and follows with a decision step 804 in which 
the firewall determines whether the current session is one of 30 
the following protocols: FTP, TFTP, RPC, or SMTP. If so, it 
examines the payload to determine whether it has a specified 
intrusion signature. See decision step 806. For these 
protocols, it is understood that certain intrusion mechanisms 
are known and used to defeat network security. These 35 
mechanisms leave certain signatures that can be specified for 
detection ahead of lime. If such intrusion signature is 
identified at decision step 806, the firewall drops the current 
packet and resets the connection at a step 808. 

Assuming that no intrusion signature is located at decision 40 
step 806 or that the protocol of the current packet is not one 
of FTP, TFTP, RPC, or SMTP, the firewall next determines 
whether it is expecting additional channels to be opened at 
a decision step 810. As mentioned, certain types of appli- 
cations may have multiple channels: typically a control 45 
channel and one or more side or data channels. The ports 
associated with such side or data channels cannot be known 
ahead of time. At step 810, the system determines whether 
the packet is associated with an application that could open 
multiple channels (e.g., FTP or H.323) and, if so, whether so 
any other channels might be opened for that application. As 
mentioned many applications, such as H.323, have an 
expected or maximum number of side channels. 

Assuming that the application is of a type which may 
involve additional channels (and not all possible channels 55 
associated with that application have yet been opened), the 
firewall next examines the packet's payload to determine 
whether it includes a port negotiation command. See deci- 
sion step 812. Such commands indicate that a new channel 
is likely to be opened very soon. If the firewall does detect 60 
such command at decision step 812, it next prepares to 
create a new passage for a new channel at a process step 814. 
This involves creating a pre-gen SIS and associated ACL 
items as mentioned above. Note that at this stage the ACL 
items can specify source and destination addresses and 65 
possibly a destination port, but usually not a source port. The 
source port for the channel may be determined when a 
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subsequent SYN packet for the new channel is received. 
After the appropriate preparations are undertaken, the pro- 
cess is complete at 816 (corresponding to step 514 of process 
418). Also, if either of decision steps 810 or 812 is answered 
in the negative, the process is completed at 816. 

Note that firewall only inspects packet payloads in control 
channels where port negotiation commands may appear. 
This conserves system resources. Further, only a subset of 
the packets in a control channel will have their payloads 
inspected. Most packets include a "command name" which 
indicates whether the payload is likely to contain port or 
address information such as a port negotiation command. If 
the command name is not of a type that could include a port 
negotiation command, the firewall discontinues its inspec- 
tion of the payload. This further conserves resources. 
3. State Information 

As indicated above, the systems and methods of this 
invention preferably monitor the state of each channel. To 
accomplish this, they may create an SIS for each channel, 
even if there are other channels associated with the appli- 
cation. The firewall engine (and/or associated application 
modules) uses its knowledge of the expected behavior in 
each state to analyze packet headers and determine whether 
the current packet comports with what it expects in the 
current state. If a packet is not of the type expected given the 
current state, the firewall will drop it because it may be an 
illicit packet masquerading as a packet of a current session. 

FIG. 9 depicts one example of a SIS 900 that may be used 
with this invention. The SIS includes various fields for use 
in monitoring a particular session. In SIS 900, these fields 
include source and destination addresses 902 and 904 and 
ports 906 and 908 defining a socket pair, a protocol type 910 
(e.g., UDP or TCP), a TCP state 912 (as defined by the TCP 
standard), a session state 914 as described above (e.g., 
closed, opening, open, closing for TCP; opening, open, and 
closed for UDP), sequence information 916 including the 
sequence numbers of the initiator's and responder's most 
recent packets and the size of the sequence window for the 
initiator and responder, timeout information 918 specifying 
timestamps on the most recent packet or packets in the 
session and relevant timeout period, various flags 920 (for 
e.g. inspecting at the process level, inspecting the TCP 
packet order, inspecting the TCP termination sequence, 
inspecting Network Address Translation information, 
inspecting the payload, etc.), a list of ACL items 922 
associated with the session (dynamically created), and point- 
ers 924 to other sessions (SISs) that form part of the same 
application conversation. Regarding the last of these 
(pointers to other sessions), note that a given application 
conversation such as FTP or H.323 may have multiple 
channels (each defined by a separate session or TCP 
connection). The firewall often needs to check on the status 
of a related session in order to make a decision about a 
packet in a different session. 

While not illustrated in FIG. 9, the SIS may also include 
alternative addresses and port numbers that may be used 
with a local network employing Network Address Transla- 
tion. Network Address Translation (NAT) enhances network 
privacy by hiding internal addresses from public view. It 
also reduces cost of Internet access by enabling conversation 
of registered IP addresses. Network Address Translation is 
described in K. Egevang and P. Francis, "The IP Network 
Address Translator (NAT)," RFC 1631, Cray 
Communications, NTT, May 1994 which is incorporated 
herein by reference for all pi 



4. Example 

FIGS. 10A through 10C illustrate how the present inven- 
ion may be employed to control an FTP session. In these 
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figures a router/firewall 1001 connects a local network 1003 3. The method of claim 1, wherein determining whether 

to an external network 1005 (e.g., the Internet). Initially, to examine the payload comprises determining whether the 

router/firewall 1001 has received the SYN, ACK/SYN, and packet is an FTP packet, an RPC packet, a TFTP packet, or 

ACK packets necessary to establish an FTP control channel. a SMTP packet; and 

All such packets had to meet criteria specified in an ACL 5 whcrein examining the packet payload identifies the pres- 

1007. Upon receipt of the SYN packet, firewall/router 1001 ence or absence of an intrusion s ig naUlre 

created an SIS 1009 for the FTP control channel. 4 The mclhod of daim h whcrein delcrmining whclher 

As shown in FIG. 10A, a packet 1011 from external to examine the payload comprises determining whether an 

network 1005 enters firewall/router 1001 through an inter- additional channel of unknown port number may be opened, 

face and must have its header checked against ACL 1007. If "> 5. The method of claim 4, wherein examining the packet 

it does not meet the specified by ACL 1007, it is dropped as payload comprises examining the payload to identify a port 

indicated by arrow 1013. As the packet is for the FTP control negotiation command. 

channel, it must also meet criteria associated with SIS 1009 6. The method of claim 5, further comprising modifying 

(state, sequence number, etc.). If it does not meet these the network device to allow packets associated with the 

criteria, it is dropped as indicated by arrow 1015. In this 15 additional channel to pass. 

case, it passes as indicated by arrow 1017. Along the way, 7. The method of claim 6, wherein the packets are allowed 

SIS 1009 is updated with information from packet 1011 to pass by dynamically modifying an access control list to 

(sequence number, state, etc.). create a path for the additional channel. 

Next, as illustrated in FIF. 10B, an FTP packet 1019 with 8 - The method of claim 1, further comprising: 

a port negotiation command is received from local network 20 examining the packet's header; and 

1003. Because it contains a port negotiation command, determining whether information in the packet header 

firewall/router 1001 opens a pre-gen SIS 1021 to prepare for corresponds to an access control item, 

the new data channel. It also adds appropriate ACL items to 9 . The method ofclaim 8> comprising dynamically 

ACL 1007 in anticipation of the new data channel. These adjusting a list of access control items based upon exami- 

items specify a first port number for the new data channel as a nat i on 0 f the packet payload 

identified in with the port negotiation command. This allows i 0 . The method of claim 1, further comprising: 

return traffic over the new channel. • , . 

identifying a session associated with the packet; 

the'new "SS^^y^S^S"^ ^ *" ^ T fV > 

work 1005. Because ACL 1007 has been modified to allow 30 ^T^^r^^^^^ 



it through, it passes to inspection per pre-gen SIS 1021, 



packet of the session was received; and 



which is now converted to a regular SIS. In addition, the if the predetermined time out period has elapsed, rejecting 

second port number for the data channel appears in the ttle P ac k el - 

header of packet 1023. This information is used to modify « 11 A com P uter program product comprising a computer 

the appropriate item(s) in ACL 1007 pertaining to the FTP readable medium on which is stored program instructions 

data channel for a method, implemented on a dedicated network device 

Data for the FTP data channel continues to flow across ^ ^ fT** T™!? ^ ^ mCthod 

firewall/router 1001 so long as it meets the various require- hm,lmg ™™ 10 * loCal nelWOrk ' and com P™^ 

ments of ACL 1007 and SIS 1021. Eventually, the connec- 4t) receivm & a P acket at a network device; 

tion associated with the channel is terminated and SIS 1021 identifying an application associated with the packet; 

is removed. The dynamically created ACL items associated determining whether to examine the payload of the packet 

with the channel are also removed from ACL 1007. based on whether certain conditions are met; and 

c ^ u c u j- examining the packet payload based on the determination. 

5. Other Embodiments „ 5 u Tfae compuler program product or cIaim n> wherein 

Although the foregoing invention has been described in ,ne instructions for determining whether to examine the 

some detail for purposes of clarity of understanding, it will payload comprise instructions for determining whether an 

be apparent that certain changes and modifications may be additional channel of unknown port number may be opened 

practiced within the scope of the appended claims. For in tne a Pplication associated with the packet, 

example, the local network described above may be a single 50 13 - The computer program product of claim 11, wherein 

local area network or multiple local area networks connected tne program instructions further specify: 

as a wide area network. Further, the security algorithm identifying a session associated with the packet; 

described above may be applied to a single machine as well determining whether the packet has been received after a 

as a network. predetermined time out period has elapsed since the last 

What is claimed is: S5 pac ket of the session was received; and 

1. A method, implemented on a dedicated network device if lhe predetermined time out eriod has ela d rejecti 
which receives and transmits network traffic, for limiting the packet 

access to a local network, the method comprising: „_ A dedjcated ne[work devjce whjch recejves and (rans _ 

receiving a packet at the network device; 6o m its network traffic and capable of controlling access to a 

identifying an application associated with the packet; local network, the network device comprising: 

determining whether to examine the payload of the packet multiple interfaces configured to connect with distinct 

based on whether certain conditions are met; and networks or network segments; 

examining the packet payload based on the determination. a memory or memories configured to store (i) one or more 

2. The method of claim 1, wherein determining whether 65 access control criteria for allowing or disallowing a 
to examine the payload comprises determining whether the packet based upon header information and (ii) infor- 
payload may contain an intrusion signature. mation specifying an application conversation; and 
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a processor configured Ic 
mation with the at 
le whether tc 



o compare packet header infor- 
is control criteria and could deter- 
mine packet payloads based upon 
tne context of the application conversation. 

15. The network device of claim 14, wherein the network 5 
device is a router or a switch. 

16. The network device of claim 14, wherein the memory 
is configured to store the access control criteria in the form 
of an access control list. 

17. The network device of claim 14, wherein the memory 
is configured to store the state of at least one of a TCP 
session and a UDP session. 

18. The network device of claim 14, wherein the memory 
is configured with information specifying the context of an 
application conversation indicating whether a side channel 
may be opened for the application. 15 

19. The network device of claim 14, wherein the proces- 
sor is configured to examine packet payloads when context 
information in the memory indicates that a side channel may 
be opened. 

20. The network device of claim 19, wherein the proces- 20 
sor is configured to dynamically modify the access control 
criteria when a new side channel opens. 

21. The network device of claim 14, further comprising an 
operating system controlling the network device to perform 
functions necessary to control access to the local network 15 
and route network traffic. 

22. The network device of claim 14, wherein the network 
device comprises at least two processors, at least one of 
which is associated with one of the multiple interfaces. 

23. A method implemented on a computer or dedicated 30 
network device for controlling access to a local network, the 
method comprising: 

receiving a packet; 

determining whether the packet possesses a predefined 
source or destination address or port; 35 

determining whether the packet meets criteria for a cur- 
rent state of a TCP or UDP session with which it is 
associated; 

determining whether to examine the packet's payload 
based on whether certain conditions are met; and w 

examining the packet's payload based on the determina- 
tion. 

24. The method of claim 23, further comprising deter- 
mining whether the packet sequence number falls within a 
defined sequence window. 45 

25. The method of claim 23, further comprising; 
determining whether the packet has been received after a 

predetermined timeout period has elapsed since the last 
packet of the session was received; and 
if the predetermined timeout period has elapsed, rejecting 5 
the packet. 

26. The method of claim 23, wherein determining whether 
the packet possesses the predetermined source or destination 
address or port comprises matching information in the 
packet header against information in an access control list. 5 

27. The method of claim 23, wherein determining whether 
the packet meets criteria for a current state comprises 
determining whether any state transition associated with a 
TCP or UDP session follows an expected sequence of slate 



28. The method of claim 23, wherein determining whether 
to examine the payload comprises determining whether the 
payload may contain an intrusion signature. 

29. The method of claim 23, wherein determining whether 
to examine the payload comprises determining whether the 
packet is an FTP packet, an RPC, a TFTP packet, or a SMTP 
packet; and 

wherein examining the packet payload identifies the pres- 
ence or absence of an intrusion signature. 

30. The method of claim 23, wherein determining whether 
to examine the payload comprises determining whether an 
additional channel of unkown port number may be opened. 

31. The method of claim 30, wherein examining the 
packet payload comprises examining the payload to identify 
a port negotiation command. 

32. The method of claim 31, further comprising modify- 
ing the network device to allow packets associated with the 
additional channel to pass. 

33. The method of claim 32, wherein the packets are 
allowed to pass by dynamically modifying an access control 
list to create a path for the additional channel. 

34. The method of claim 31, wherein the packet initiates 
a new session, the method further comprising: 

creating a state entry for the new session; and 
creating one or more access control items allowing pas- 
sage of packets from a node identified in the packet 
initiating the new session. 

35. A computer program product comprising a computer 
readable medium on which are stored computer program 
instructions for a method of controlling access to a local 
network, the computer program instructions specifying; 

receiving a packet; 

determining whether the packet possesses a predefined 
source or destination address or port; 

determining whether the packet meets criteria for a cur- 
rent state of a TCP or UDP session with which it is 
associated; 

determining whether to examine the packet's payload 

based on whether certain conditions are met; and 
examining the packet's payload based on the determina- 

36. The computer program product of claim 35, wherein 
the instructions for determining whether the packet meets 
criteria for the current state comprises instructions for deter- 
mining whether any state transition associated with the TCP 
or UDP session follows an expected sequence of state 



37. The computer program product of claim 35, wherein 
the program instructions further specify; 

determining whether the packet initiates a new session; 

creating a state entry for the new session; and 

creating one or more access control items allowing pas- 
sage of packets from a node identified in the packet 
initiating the new session. 
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[57] ABSTRACT 

An access control list for determining the access rights 

of principals in a distributed system to a system resource 

is disclosed wherein the access rights of a specified 

principal are based on the access rights delegated to that 

principal. 
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COMPOUND PRINCIPALS IN ACCESS CONTROL 
LISTS 

CROSS REFERENCE TO RELATED 
APPLICATIONS 
This application is one of four filed simultaneously 
with essentially identical specifications including: U.S. 
Ser. No. 589,923 by Abadi, Goldstein, & Lampson, 
"COMPOUND PRINCIPALS IN ACCESS CON- 
TROL LISTS"; U.S. Ser. No. 589,924 by Gasser, Gold- 
stein & Kaufman, "A METHOD FOR PERFORM- 
ING GROUP EXCLUSION IN LARGE HIERAR- 
CHICAL GROUP STRUCTURES"; U.S. Ser. No. 

589.925 by Gasser, Goldstein, Kaufman, & Lampson, 
"DELEGATION TO SESSION KEY"; U.S. Ser. No. 

589.926 by Gasser, Goldstein, & Kaufman, "FAST 
MEMBERSHIP VERIFICATION IN LARGE HIE- 
RARCHIAL GROUPS". 

1. BACKGROUND OF THE INVENTION 
1.1. Time Sharing Systems 

In most large computing systems a timesharing com- 
puting environment is implemented. As illustrated in 
FIG. 1C, such a system may include "resources" such 
as one or more central processing units (CPUs) 2 con- 
figured to share components such as main memory 3, 
disk or tape storage 4, and a printer 6. The system may 
also include user terminals such as workstations WA 
and WB, which in many implementations may have 
their own local resources such as one or more CPUs 
and associated main memory (not shown) as well as 
perhaps a printer 7 and disk storage 8. The CPU(s) 2 
execute program sequences that cause the CPUs to 
process commands and requests transmitted by users 
from the workstations WA and WB in accordance with 
known timesharing methods. 

In such an environment, the system resources are 
centrally managed by a trusted authority. Because the 
central authority controls all access to the system re- 
sources, it is often fully trusted. In other words, the 
central authority is designed and maintained to ensure 
that the security plan for the timesharing system is 1 prop- 
erly implemented. In such timesharing environments, 
when a "principal" on the system (e.g., a user) requests 
access to a system, "resource" (e.g., a printer or file 
server) the central trusted authority determines 
whether the principal possesses the necessary security 
attributes to access the resource. If so, the trusted au- 
thority allows the access. 

In these timesharing computer systems and the like, 
almost all access control is handled by the central 
trusted authority. As such, the trustworthiness of the 
central authority must be maintained. Because of the 
importance in having a trusted central authority, many 
prior art devices have emphasized the importance of 
having a single, trusted controlling authority. 

1.2. Distributed Systems 
In contrast to timesharing environments, there also 
exist "distributed systems. " In distributed systems sev- 
eral separate computer systems are linked together in a 
network to share various system resources. In such 
systems, there is generally no single trusted central 
manager that can implement the security policy for the 
system. As such, each system resource on the network 
is often required to implement its own security policy. 
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In such distributed systems a user typically requests 
access to a particular system resource. That system 
resource is then itself responsible for determining the 
access rights of the requester and allowing or rejecting 

5 the requested access. 

The need for each resource to enforce its own secu- 
rity policy often results in complexities not encountered 
in timesharing environments. For example, each princi- 
pal (e.g., user) on a distributed system is often assigned 

10 a user name. Access to the system resources is often on 
the basis of the particular access rights associated with 
a particular user and his name. 

In theory, each system resource could include a lis- 
ting of all of the principals and their access rights and 

15 user names. However, such a situation is often impracti- 
cal as it would require additional memory and mainte- 
nance for each resource. Further, if numerous system 
resources exist, the addition (or deletion) or one princi- 
pal's would require the modification of numerous lists. 

One alternative utilized in the prior art is to have a 
central list accessible to all resources on the network. 
Because of the need for all system resources to have 
access to all of the principals and their names, a list of 

2J the principals and their names is often stored in a 
"global naming service" (GNS). A global naming ser- 
vice is a system resource which contains a list of all of 
the principals authorized to use the system and their 
names. Unlike a timesharing environment where the 

30 naming service is centrally controlled, in a distributed 
environment, the naming service is merely one of many 
system resources. 

In most security systems, access to a system resource 
is determined on the basis of group memberships. Thus, 

35 the security policy of a particular resource may dictate 
that members of only a certain number of selected 
groups have access to that resource. Because the princi- 
pal requests access to the resource, the resource must 
determine whether the requester is a member of one of 

40 the selected groups. If so, access is allowed. If not, 
access is denied. 

Because it may be desirable for groups to contain 
other groups (or subgroups) the verification of a par- 
ticular principal as a member of a large structured 

45 group can often be extremely slow. 

1.3. Security Needs for a Distributed System 
As discussed above, security systems for distributed 
networks often encounter complexities not found in 

50 centralized networks. For example, any system attempt- 
ing to provide security for a distributed network must 
have the ability for a user to authorize a computer to 
operate on user's behalf and only to do so while autho- 
rized. Further such a system should have the ability for 

55 an authorized computer to present authorization to 
other computers in a secure and verifiable manner; and 
the ability for the user to rescind the authorization. 

Because distributed systems generally have several 
workstations, it is desirable to allow a user to access the 

60 system resources regardless of which workstation he is 
logged into. However, because all systems on the net- 
work cannot be equally trusted, it may be desirable to 
prevent a user from accessing certain information on 
certain untrusted workstations. 

65 Second, because distributed networks often have a 
large number of network entities, it is generally desir- 
able to organize the entities into manageable groups. To 
implement a security policy properly, it is desirable to 



5,315,657 

3 4 

be able to manage these groups through an effective FIGS. 13A-14C illustrate the use of compound prin- 
security policy. cipals in access control lists. 

2. SUMMARY OF THE INVENTION FIa 15 iUust ™ t « ■ timesharing computing environ- 



The present invention addresses the goals discussed 5 
above through the use of a unique distributed security 4 - DEFINITIONS AND CONVENTIONS 

system. Each entity on the distributed is given a unique this specification discloses aspects of a distributed 
name and a private key. This private key enables each system „, whjch access t0 sy$tem resourccs is 

entity to identify itself to other entities and to encode controlled by access control lists associated with each 
certain messages. The messages encoded by the private 10 $ystem resource . when a U5er makes , request 0 f a 
keys may be decoded through the use of public keys. res0 ^ refcrence monitor f ^e er of 
The pubhc key, are stored with the entities names in a ^ to ^ resource) for ^ resource looks tor the 
giooai naming service. . requesting user on that resource's access control list. If 

The global naming service includes a list of each of ,1. „,„,, <•„„„,. „_i : _ . : „ 

the entities, and a listing of the groupings and subgroup- » ' W^LuIZ ™ * P 

ings into which the entities are divided. A group hint "'SilT^S^^, with , 
may be stored with the entities' name to enable fast ' he * y * em of mv f nt °" d ^ s w * en " 

searching of large groups. 8,1(1 ^f"" ~»«. and with public and pn- 

Each entity may delegate access rights to other enti- T/^J^' ?, convent ' on ,s «f°P ,ed for ° f 
ties on the network. To prevent improper use of delega- 20 M***™- ™e P» blic <* » P™c.pal » represented 
tion, the present invention provides for the generation * XX " P - " M 15 the nam . e of ,he P™ 0 '!" 1 ' 811(1 

of different session keys each time the user logs onto or the "P"? 1 P ,"««icates that it is a public key. Con- 
off of the network. versely, the private or secret key for a principal is repre- 
A unique method for implementing security policies sented 85 *** xS ' wherc m is * e """e ofthe Principal, 
is also disclosed. An access control list is provided for 25 and s "Scales that it a private or secret key. 
each system resource. This access control list contains a Brackets Q are used to indicate that a message has 
list of all possible access privileges and the user's that hccn encoded. The key that has been used to encode a 
have these privileges. Thus, when a user requests access particular message may be represented to the right of 
to a system resource, the user's name is compared to the the closing bracket. For example, if a message YYY is 
resource's access control list. If the user's name if found encoded using the private key of principal david, the 
on the list next to the requested access, access will be encoded message is represented as [YYY] davidS. 
granted. The message obtained when an encoded message is 
The methods, techniques, and data structures de- decoded is represented through the use of parenthesis, ( 
scribed here may be implemented by loading one or J5 ). The encoded message to be decoded is represented 
more sequences of program statements from a program within the parenthesis, while the key used to perform 
storage device (e.g., a computer tape, a magnetic or the decoding is represented to the right of the closing 
optical disk storage device, or other storage means) into parenthesis. For example, if the example message above 
the memory or memories of a digital computer or com- is to be decoded using the public key of david, the re- 
puters configured as described herein and causing the 40 suiting message is represented as ([YYY] davidS) da- 
computers) to execute program sequences as appropri- v idP. Because the key davidP is the complement to 
ate. The design and development of specific program davidS> , he decoded example will be equivalent to the 
sequences is a matter of routine work for persons of originali uncoded message , In other word 
ordinary skill (which of course should include familiar- YYY = ([YYY] davidS) davidP 
ity of the computer(s), operating system(s), etc. that are 45 In the specirication md claims that folloW) the term 
of f H^, e J mplementa,, ° n) Wh ° h8Ve ,hC benef ' t "workstation" is used in its generic sense and, as such, 
describes various types of computer systems. 

5. AUTHENTICATION 

FIGS. 1A-1B illustrate the use of encryption keys to 50 , _, . ■ , ... 

authenticate principals in a distributed computing sys- J n ordw t0 »*»«««« 8 *">nty P° Ucy <*>™ ol ^& 

tem r the exchange of information throughout a distributed 

FIG. 1C illustrates a timesharing computing environ- s . y , stem *° me mechanism shoul « t exist for uniquely iden- 

ment . tifymg each of the network systems. Only in this man- 

FIGS. 2A-2B illustrate a method for authenticating 55 ner 08,1 the access ri 6 h,s ° f each system be determined 

principals in the present invention. and controlled. This process of identifying and verify- 

FIGS. 3, 4A and 4B illustrate the use of search hints in 8 » principal on the network, is known as "authentica- 

in the present invention. tion." In an embodiment of the present invention, au- 

FIG. 5 illustrates one method for delegating authori- thentication is accomplished through the use of RSA 

zation in the present invention. 60 cryptography and a global naming service. 

FIG. 6 illustrates chained delegation. The authentication process illustrated here is a two- 

FIGS. 7A-7C illustrate delegation to a session key. part process. First, a user seeking to authenticate itself 

FIGS. 8 and 9A-9B illustrate the use of access con- must demonstrate knowledge of a particular private 

trol lists. key. Second, the entity receiving the authentication 

FIGS. 10 and 11 illustrate basic access right expres- 65 request must accurately be able to determine that 

sions. knowledge of a particular private key implies a particu- 

FIG. 12 illustrated group exclusion in the present lar principal name. These two components of authenti- 

invention. cation are kept separate in the present invention. 



of this disclosure. 
3. BRIEF DESCRIPTION OF THE DRAWINGS 
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5.1. RSA Cryptography for Verifying Knowledge of a reaI "faptured from a previous exchange. This pro- 

Particular Private Kev ceSS 15 ,1,ustrated « FIG - 1B - ™ s is *e first part of the 

' authentication process. 

RSA cryptography, disclosed in U.S. Pat. No. If principal PI can somehow associate the private key 

4,405,829 to Rivest et al., is well known in the art. RSA 5 twoS with principal P2, then principal PI knows that it 

cryptography involves the use of a public/private key is communicating with principal P2, inasmuch as no one 

system. e \ x could have signed number X with principal P2's 

In connection with the present invention, each princi- private key. 

P* 1 ,? n n£ e network is signed a particular "private A similar exchange in the opposite direction allows 
key . This private key is a code that is exclusive to that 10 P2 to authenticate PI. Once each principal is assured of 

principal; it is not disclosed to any other principal on the who he is talking to, messages may be sent over the 

network. Thus, for security purposes, it is assumed that communications channel. Note that to prevent an im- 

each private key is kept secret by its principal. For this poster from subsequently breaking into the conversa- 

reason private keys will be referred to in this specifica- tion, the communications channel must be secured by 
tion and drawings as xxxS, where xxx identifies the key, 15 means generally known, such as physical security or 

and S indicates that it is a private (or Secret) key. conventional secret key encryption. 

Corresponding to each private key is a public key (to In the above example, principal P2 provided its pub- 
be represented as xxxP). A public key is associated with lie keytwoP in message 16. In one embodiment of the 
each principal on the network. This public key may be invention principal P2 provides only its user name. In 
made known, and shared with other principals on the 20 this embodiment, principal PI would have been respon- 
network. sible for determining the public key associated with the 

As known in the art, and described in the Rivest et al. user name sent in the message, 
patent, the public and private keys are generated in such 

a manner that knowledge of the public key does not 5 - 2 - Improved Global Naming Service 

reveal the private key. 25 The above discussion of authentication placed partic- 

The public and private keys operate together to allow ular emphasis on the relationship between a particular 

the coding and decoding of messages. Thus, a message principal and the public and private keys associated 

encoded using a private key may only be decoded by with that principal. Each principal on the distributed 

the public key that corresponds to that private key. network of the present invention is assigned a name and 

Alternately, a message encoded using a public key may 30 a private key. 

only be decoded by the private key corresponding to As discussed above, in order to determine which 

,ha i P ublic kev - principal is requesting authentication, the non-request- 

F1G. 1A provides an example of using RSA encoding ing party must (1) determine that the requesting party 

for authentication. P2 establishes a communications has knowledge of a private key, and (2) determine 

channel over which it wishes to converse with PI. If 35 which particular principal is identified by that private 

principal P2 wishes to converse with principal PI it key. 

must first persuade principal PI that it is indeed princi- In connection with the present invention, principals 

P a jJ| 2, are identified through the use of "principal names." A 

This may be done by principal PI generating a chal- principal name is an identification code that uniquely 

lenge to principal P2. This challenge (sometimes re- 40 identifies a principal. In one embodiment, the principle 

ferred to in the art as a "nonce") comprises a random names are human readable and understandable so that 

number X that is sent to principal P2. This nonce mes- people can specify this nameon access control lists, 

sage is illustrated as 14. Because the security system of the present invention is 

After receiving this nonce 14, principal P2 serids to geared toward principal names, not private keys, some 

PI the value obtained when the number X is "signed" 45 mechanism should exist for associating the public and 

(encoded) by principal P2's private key (twoS). It also private keys for each principal with its name, 

includes in this message its corresponding public key This function is accomplished through the use of an 

twoP. This message is illustrated as shown at reference improved global naming service (GNS). This naming 

numeral 16. As may be discerned, the random number service is a depository of principal names, their associ- 

X is illustrated as being "locked" by the key twoS. This 50 ated public keys, and other relevant security informa- 

lllustrative convention illustrates that the message tion. This information (the principal names, public keys, 

within the brackets has been signed (encoded) by the etc.) is stored in name "certificates" that are signed 

key at the right of the bracket. (encoded) using the private keys of particular principals 

Thus, the message may only be decoded (unlocked) that have some degree of trust. Because these principals 

by using the key complementary to that outside of the 55 certify that a particular principal has particular access 

brackets. For example, in FIG. 1A, message 16 shows rights, they are sometimes referred to as certifying au- 

the number X encoded by the key twoS. As such, this thorities (CAs). " 

message may only be decoded through the use of twoP (a) Trust and the Improved Global Naming Service 

(the complement to twoS). The improved GNS need not be fully trusted. This is 

After receiving message 16, principal PI can compare 60 beneficial in that is simplifies the design and mainte- 

the uncoded number X (from message 14) with the nance of the GNS. Further, the overall security of the 

value obtained when the signal 16 is decoded using the system is increased because many different servers do 

public key twoP (which was provided in the signal 16). not have to be trusted. 

If the two values match, then principal PI knows with For purposes of the present invention, the GNS 

certainty that it is communicating with a principal pos- 65 should be trusted only for "rapid revocation " This 

sessing the private key twoS. Because PI has chosen the means that if a key is compromised, the global naming 

value of the challenge X, it is not possible for an impos- service can be trusted to delete the naming certificate if 

ter to impersonate P2 by replaying a response from the requested to do so by the appropriate principal. Meth- 
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ods for developing such a limited trust GNS are known other. This requires the certifying authorities to identify 

in the art and will not be discussed herein. each other up to a common ancestor. 

(b) Principal Names: Two Basic Types. The named FIG. 2A illustrates one example of such authentica- 

principals contained in the global naming system may tion. As illustrated there are seven principals P0-P6. 

be of at least two types: users and systems. A "user" is 5 Each of the principals has a naming certificate stored in 

defined as the person who uses systems and resources, the global naming service which is signed by the certi- 

and instigates access to "objects." A "system" is basi- fying authority for the directory in which it is found, 

cally defined as a state machine (i.e., a device that when For example the global naming service entry for princi- 

given a current state, a translation function, and some pal P5 would contain a naming certificate signed by 

inputs yields a new state and a set of outputs). In simple 10 certifying authority CA2. 

terms, a system is a computer running a piece of specific If principal P6 wished to authenticate itself to princi- 

software. A system may be a computer running a cer- pal P2, P2 could send a message containing a nonce 

tain piece of software, or a process running underneath (e.g., an uncoded randomly generated number) to P6. 

another system (e.g., a process running within a particu- P6 then returns the nonce encoded under its private key 

tar operating system). Systems having other systems 15 P6S. Such a message is illustrated at reference numeral 

running underneath them are sometimes referred to as 30 in FIG. 2B. After receiving this message, principal 

"engines." P2 can look up the certificate for principal P6\ How- 

. . ever, this certificate is signed by CA2; P2's certification 

5.3. Certifying Authorities authority is CA1, so P2 has no a priori means of verify 

As briefly alluded to above, the global naming ser- 20 ing the certificate. P2 solves this problem as follows: 
vice of the present invention actually contains certifi- P2 knows the public key of his CA, CA1P. In the 

cates that are encoded (signed) using the private keys of naming service, he finds the certificate signed by CA1 

special principals known as certifying authorities (CAs). that identifies CAl's parent to be CAO and its public key 

Thus, any principal possessing knowledge of a particu- to be CAOP. He verifies this certificate by decoding it 

lar certifying authority's public key may decode and with CA1P. 

read these certificates. P2 then looks up the certificate signed by CAO that 

For example, the certifying authority for a particular certifies CA2. He decodes this with CAOP obtained 

system may be a group manager who is normally not above and learns that CA2's public key is CA2P. Fi- 

connected to the network. When the network manager 3Q nally, P2 can decode the certificate that associates P6 

wishes to add a principal to the GNS, he may go "on- with its public key P6P and verify that P6 correctly 

line" onto the network, use his private key to encode encoded the nonce with P6S. 

the information concerning the new principal (e.g., the Because the certifying authority for CA1 trusts certi- 

principal's name and public key), and deposit this en- fying authority CAO, and likewise certifying authority 

coded message into the GNS. In this manner, anyone 3J CAO certifies certifying authority CA2, it follows that 

having the public key of the network manager may principal P2 can then trust certifying authority CA2. 
access the added certificate (which contains the new (b) Contents of an Authentication Certificate. In its 

principal's public key), determine that a new principal simplest form, an authentication certificate contains the 

has been added to the group, and attempt to access (or name of a principal, its public key, and a time period of 

receive access requests from) the new principal. ^ validity. (When multiple certifying authorities are used, 

(a) Multiple Certification Authorities; Certification the certificates may also contain the name of the certify- 

Authority Hierarchy. For large networks, more than ing authority.) As discussed above, these authentication 

one certifying authority may exist. Multiple certifying certificates are signed by a certification authority and 

authorities may be used to ease management concerns are stored in the global naming service, 
and improve performance and security. In the present 45 A time period of validity is included with the authen- 

invention, these multiple certifying authorities are orga- tication certificates to ensure that a compromised prin- 

nized into a specific certification authority hierarchy. cipal does not stay on the network indefinitely. When a 

When multiple certifying authorities are used, the authentication certificate is stored in the global naming 

global naming service may be divided into several di- service, so too is a period of validity. When the period 

rectories and subdirectories. Each directory should 50 of validity has expired, the authentication certificate is 

contain certificates (signed by the certifying authority no longer valid. As such, the authentication certificates 

for that directory) for the principals and subdirectories must be periodically updated. 

?STsCS5 * VERIFICATION OF GROUP MEMBERSHIP 

addition to the multiple directories, when multiple certi- 55 As discussed above, the global naming service con- 

fying authorities are used, each principal should main- tains a listing of all of the principals authorized to oper- 

tain both its private key (which it keeps secret), and the ate on the network. When a distributed network be- 

public key of the certifying authority for the directory comes large, this list can often become quite lengthy. A 

in which it is named. Generally, the certifying authori- system in accordance with the present invention allows 

ties at the nearby branches of the directory will be 60 numerous users to be lumped together and treated as a 

trusted more than those controlling more remote direc- single unit called a "group." 

tories. Since the structure of the namespace is expected In distributed systems, multiple objects often must be 

to reflect the structure of the organization using it, this accessible to the same sets of users. These sets of users 

naturally reflects the greater trust one places in more can be quite small (e.g., two users) or they can be quite 

closely related organizations. 65 large (e.g., 100,000 users). In order to effect fast and 

Thus, when two users not certified by the same certi- manageable access, principals who are considered 

fying authority wish to mutually authenticate, the vari- equivalent for security related purposes may be com- 

ous certification authorities must cross-certify each bined into a group. A group may be thought of as a list 
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of principals. The entries within a group make up the Some groups may be uncertified (i.e., a group stored 
"group definition." without the benefit of certifying certificates). The 

As discussed below, the entries in a group may be groups are only as secure as the entity that controls 
signed certificates (see section 6.2, below) or simply a modification access to the group list, 
list of names. 5 

6.3. Problems Arising from Large Groups and the GNS 
6.1. Nested Groups and Subgroup Searching As discussed abovej the names of a] , Qn ^ 

Just as a group may contain a principal name as one of network are stored in a global naming service along 
its entries, so too may a group contain another group (a with certain attributes for those entities. Also stored in 
"subgroup"). This nesting of groups allows large 10 the global naming service are the group definitions. The 
groups to be expressed as trees of other subgroups. definition of a group is found under the naming service 

In the absence of specific optimization (discussed entry for that group's name. As noted above, this group 
below), extensive searching of a group and its sub- definition consists of a listing of each of the members of 
groups must be carried out for membership verification. groups. The group definition may also include a 

For example, if a group has ten subgroups, each with 15 u 'sting of subgroups. 

ten members, the possibility exists that each of the 10 As discussed above, for security purposes, the listing 
subgroups must be searched before a certain principal is of 8 group's members is done through the use of certifi- 
identified as a member of the group. Such searches may cates ' These certificates are messages "signed" by 
be extremely slow. While the structure of an individual trusted authorities that verify group membership. The 
group can be optimized to allow a fast search, the van- 20 certificates which comprise a group definition (when 
ous subgroups are likely to be distributed over different decoded) merely provide the name of a principal (or 
portions of the global naming service. subgroup) that is a member of that group; the security 

attributes are stored with the name of that principal in 
6.2. Certification of Groups the global naming service. 

Because the storage medium of a group definition 25 When a Principal attempts to access a system re- 
may not be adequately secure, the group definitions f° urce ' t . he grou P s havin 8 access t0 that resource must 
may be certified. This is done by enclosing the group searched t0 determine if the requesting principal is a 

definition in a certificate, or multiple certificates signed member : each subgroup m a group, and each sub-sub 
by some appropriate certifying authority. The certify- „ g rou P mus t also be searche^d To perform such a nested 
ing authority should be the entity that has control over 30 search > eac * of th e global definitions for the sub-groups 
the group. The group's certifying authority (GCA) may £1^1" ISPt 7* * TT* u ^ 
in turn be certified by the certifying authority of the t,0nS ln GNS ' In la, ? e networks, having numerous 
group's parent directory in the form of: USe " Tl? ' tyPC ° f 

certifying authority certifies that GCA with key GCAS 35 Ca " take considerable tune - 

may sign membership certificates for group G 6.4. The Use of Search Hints 

This format is similar to that used to certify a directory -r ■ , • , 

certifying authority To improve searching speed, group membership hints 

Forrefsonsofefficiency.itmaybedesirabletorepre. Zin! service Tntl ^JZT** ^ ^ 

ST - , " P ,u ( I • , C elthe , r member. Where multiple nested subgroups exist, e.g., P 

Zt* «,1 P "" P • ° r ° ther . S "^roups (pnnc.pal- is a member of Q1 js , memb 6 er Q P f Q ^ * 

SprincUlTe I rePreSe y 3 C3ted member 0f • ' ■ Gn ' several hints W be - th the 

rr J » r 1 u , r- 45 Principal's name in the form of: 

GCA certifies that P3 is a member of G For j = 1 (n - 1) 

GCA certifies that Pn is a member of G Note that ' the hint Kst mverted order , h 

5r CalCS ha - 6 l , he Same v 0rm "2* Cert ' fl - 50 words - the Wnts mdi cate P is a member of the largest 
cates that certify a principal, except that certificates that group po Ssible . ^ is taie it is the searches of ^ 
authenticate a principal associate a particular public key groups th at slow down the search ss g 
with a pnncipal s name, whereas group certification For example, suppose that a principal named FRED 
keys associate a particular pnncipal with a group. has an offlce q i„ a particular wing W of a particular 

Because membership m a group is asserted in a cert.fi- 55 floor F of a particular building B in a particular city C 
cate, it is not possible for a misbehaving (or compro- of a particular state S. Several hints could be stored 
m.sed) entity to forge bogus group membership. A stor- with FRED's name in the global naming service as 
age device can refuse to furnish a certificate when re- illustrated in FIG 3 

quested, or deny its existence, but it cannot forge a The first entry in the global naming service for princi- 
bogus certificate. In most instances, failure to furnish a 60 pal FRED is an authentication certificate 31 that is 
certificate would only deny membership in a group, and signed using the private key of the certifying authority 
therefor deny access to some object. C A. Also found in FRED's global naming service entry 

While a entity could not create a bogus certificate, are six hints (32-37) indicating FRED's membership is 
the possibility exists that the entity may retain a certifi- certain large groups. The use of these hints greatly 
cate that has been revoked. To reduce this risk, the 65 decreases the amount of search time needed to verify 
group membership certificates may have a timeout per- membership in a particular group. Using the same prin- 
lod (i.e., the membership certificate expires after a pre- cipal FRED, as in FIG. 3, FIG. 4a illustrates a search 
determined time period unless re-asserted). done without using hints. In this example, a resource 40 
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allows write access to all members of group S. Without Separating the principal's membership certificates 

the use of hints, each office of each wing of each build- from its name preserves the control needed over revo- 

ing of each city of each state must be searched until a cation. For example, if the membership certificates 

match for FRED is found. Specifically, each group and were stored with the principal's naming service then 

subgroup of branches 48 and 49 will have to be com- 5 whoever had write-access to that entry could subvert 

pletely searched, as will many if not most of the group revocation by merely replacing the certificates, 

branches of group 46. , „ . . . , „ t . 

The search speed is greatly increased when hints are 6 8 Maintaining the Search Hints 
used. As illustrated in FIG. 4B, with hints, principal 40 Because group membership hints constitute a dupli- 
now has a hint that FRED is in S via his membership in 10 cate representation of the group memberships in the 
group O. The reference monitor then merely has to distributed environment, there some mechanism should 
expand group O, and verify that group O contains a exist by which the hints are kept in synchronization 
membership certificate 41 for FRED. Resource 40 may with the actual group definitions. The problem is corn- 
also have to verify that group O is a subgroup of group plicated by the fact that in general the individuals man- 
S, but this can be done through the use of hints for 15 aging a group may not have writing access to the nam- 
groups as discussed below. ing service entries of the members. There are several 

In the above example, hints were provided for each possible mechanisms for keeping the hints current, 
group of which FRED is a member. Generally, it is not (a) Electronic Mail and Hint Maintenance. The man- 
beneficial to have hints for each and every subgroup. agement actions of adding or removing members from a 
Thus, it may be desired to include hints only for the 20 group may result in electronic mail being sent to the 
largest of groups. For example, assuming that the sub- affected principal, or the system manager controlling 
groups of group 44 are not too large, only the hints as to that principal's naming service entry. This mail may be 
membership in groups S, C, and B may be provided. interpreted to add, update, or remove the affected hints. 

For the above example, once it is determined via a The use of electronic mail is known in the art and will 

hint that FRED is a member of group S via membership 25 not be discussed herein. 

in group B, the search for FRED as a member of group (b) Daemon Processes to Maintain Hints. A daemon 

B would be accomplished as if no hints were used. process, running under an authority which has write 

6 5 Hint* for Orn.mQ ,ccess t0 the Prince's naming service entry may be 

6.5. Hints for Groups used. This process may either: 

Although described above with respect to principals, 30 (1) scan all of the large groups in the naming service and 

search hints may be stored for groups that are members add or update the principal's hints in their naming 

of larger groups. For example, if a group Gl is a sub- service; or 

group of G2 which is a subgroup of G3 . . . which is a (2) scan the hints stored with each principal and remove 

subgroup of Gn, the hints may be in the form of: those whose membership certificates are not found in 

Gl is a member of group Gj by virtue of membership in 35 their respective groups. 

Fo? j=2 ... (n - 1). 7 - HUMAN USER AUTHENTICATION 

The searching procedure for such group hints is sub- The case of authenticating a human user is special in 

stantially the same as that used for principal hints. that the human user does not have direct control over a 

(, (, Pr«.v*n»ir,o s**rr\, rvi»v« 40 RSA P rivate ke y- T" 8 ' control must rest in some piece 

6.6. Preventing Search. Delays of hardwart or that the user ^ trust 

The presence of hints reduces the search time of a One possible means for authenticating a human user is 

large group. To avoid excessively long searches, it may a "smart card." A smart card is a piece of electronic 

be desirable for a large group to have as an attribute that equipment that is electrically coupled to the user's ter- 

a hint is required before a search will be performed. 45 minal and has a keypad, display, clock, and logic for 

Thus, if a principal lacks the hint for an "inversion hint performing RSA operations. 

required" group, the membership test fails quickly. A central certifying authority (perhaps a human re- 

Alternately, a maximum search effort may be defined source manager) may issue a smart card to a human 

for a group lacking hints. Once the maximum search user. This smart card, when activated, should be willing 

effort is exceeded, the access attempt fails with a "group 50 to give certain information, including the name of the 

too big error." user, to anyone. The smart card should also be able to 

6.7. Inversion Hints and Security $* nie 8 nonce challen « e «""« ft * ves to 8 worksta " 

The inversion hints for a principal merely limit a To initiate a computing session, the user and worksta- 

search to a particular group (or subgroup). It is from 55 tion mutually authenticate each other. This is accom- 

this limited group that the certificate attesting to the plished by having the smart card issue the user's name 

principal's membership in the group is obtained. Be- and a nonce challenge to the workstation. Given the 

cause the group membership is still certified by the user's name, the workstation can retrieve from the 

group certifying authority, the inversion hints do not global naming service all of the certificates needed to 

attest to the principal's membership in any group, and 60 authenticate the user and determine that the user can 

do not have to be certified. logon to that workstation. As will be discussed below, 

In other words, the certificates attesting to a princi- this may be accomplished by the workstation compar- 

pal's membership in a group are stored with the actual ing the user's name to its access control list, 

group definitions, not with the principal's name. Thus, The workstation signs the challenge with its private 

the information provided in the him is truly only a hint 65 key and returns to the smart card the signed challenge, 

and can at worst deny access if its wrong or if the prin- another nonce, a public key, and the certificates re- 

cipal feigns membership in a group that it isn't a mem- trieved from the naming service that the smart card 

ber of. needs to authenticate the workstation. 
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The smart card authenticates the workstation by Through a chain of reasoning using both delegation 

verifying the signed challenge and the certificates. It certificates and the authentication certificate, the sys- 

then displays the identity of the workstation on its dis- tern resource Ws can conclude that workstation W2 is 

play. The user, satisfied with the identity of the work- indeed authorized to speak for the user P. As before, 

station, enters his PIN on the smart card to authorize 5 both the user's name, and the names of workstations Wl 

the session. and W2 must appear on the resource Ws's access con- 

The smart card now signs a message containing the trol list, 
nonce and public key received from the workstation Although illustrated with only two delegations, a 
and sends this message back to the workstation. The long delegation chain may exist between several work- 
workstation can now authenticate the user by verifying 10 stations. To effect such a chain, the system resource Ws 
the signature on the nonce using the certificates fetched must receive and verify all of the delegation certificates, 
above. The public key signed by the smart card gives For security purposes, the delegation certificates are 
the workstation the authority to act on behalf of the only valid for a limited time period (approximately a 
user, as discussed below. day). 

8. DELEGATION ' 8.3. Delegation to a Session Key 

8.1. Basic Principles of Delegation (a) The Need to Terminate Delegations. One security 
problem with the above delegation system is that the 
identity of the workstations Wl and W2 are relatively 



Once the user has authenticated himself to the work- 



staUon, he may access any local files within the work- 2Q ^ ^ once the P authorizes worksta . 
station to which he has access. If the user, however, , ion W1 k {oT w the workstation W1 can make 
needs to access remote files on a remote system re- ^ fa user p , najne „ j as the delegation cer . 
source, the user must delegate to the workstation the tificate js vaJid since the va]id tjme riod for , dd 
abrtity to access those files on his behalf tion is generally longer than most user computing ses- 
Such a delegation is illustrated in FIG. 5. In the fig- 25 sionSj there b , po^ty that workstation W l, if com- 
ure, a user P has been authenUcated to workstation Wl, promised( ^rid continue to make requests for user P 
but wishes to access remote files in resource Ws. Ws even after p js , ^ QUt of the tem 
receives access requests not directly from the user P, ^ blem cannot ^ solved b mere] erasj ^ 
but from workstation Wl. Because access rights are legation certificate from workstation Wl's storage, 
defined m terms of the user, the reference monitor in the 30 ^ de i egation certificate has been transmitted to other 
server Ws must have some way of verifying that the arties (e . g > workstation W 2, system resource Ws). 
access request did indeed originate with the user P. nmt even if the de i e g a ,ion certificate was erased from 
This verification is accomplished through the use of workstation Wl's storage, an intruder could obtain a 
"delegation certificates." The delegation from the user copy from soraewhe re in the system (e.g., from system 
to the workstation is represented by a certificate, signed 35 resource Ws ), compromise the workstation Wl, and 
by the user's smart card SC at the time of login. This is begin making requests in user P's name. Under this 
represented by certificate Dl in FIG. 5. This certificate system, a high degree of trust must be placed in work- 
indicates that the workstation is authorized to speak for station W l. In order to prevent unauthorized requests, 
the user. The delegation format illustrated indicates that workstation Wl must be protected from compromise 
the smart card SC 53 has signed a statement authorizing 40 not on]y whi i e user P has an active session with work- 
Wl to speak for user P. The workstation Wl forwards station wi, but for all time subsequent to the initial 
this certificate to the remote resource Ws as proof of delegation, (i.e., the time between user logout and the 
delegation. expiration of the delegation) To avoid the need to place 
The remote resources may then compare the user P's suc h high trust in workstation Wl, the present inven- 
name, as well as the name of the delegated workstation 45 tion makes use of session or delegation key pairs. 
Wl, with the names of the users and delegated systems (b) The Session Key. To allow a delegation to be 
in its access control list (ACL). If the requesting user on rescinded at a time of the user's choosing, a system in 
the delegated workstation is found in the ACL, then the accordance with the present invention utilizes the con- 
user, through the workstation, is granted access to the cept of delegating to a session. A session is simply the 
resource. 50 context in which all a user's actions are performed on a 
o , ™„;„»m T-inWatir.,, computer. In one embodiment of the present invention 
8.;. cnameo ueiegation a ngw pub , jc/private key pair is generated ^j, time the 

In many situations, more than one system is present user delegates to a workstation, 

between the user and the system resource. Such a situa- As discussed above, when the user P's smart card SC 

tion is illustrated in FIG. 6. In that figure a user (not 55 is inserted into the workstation the smart card provides 

shown) on workstation Wl seeks accesses to a file on the user P's name, and generates a nonce challenge. In 

system resource Ws, through workstation W2. In this the present embodiment, after verifying that the user P 

case, the user's smart card SC delegates to workstation can access the workstation, the workstation generates a 

Wl via delegation certificate Dl, which in turn dele- new public/private key pair, and sends to the user's 

gates to W2 via delegation certificate D2. 60 smart card the new public key, as well as a signed mes- 

As discussed above, the first delegation happens sage containing the smart card's nonce challenge and 
where workstation Wl is authorized to speak for the the new public key. Note that because this public key is 
user (certificate Dl in the figure). The second delega- unique for each login, it also constitutes the nonce sent 
tion says that workstation Wl permits W2 to speak for back to the smart card, which was called out separately 

the user. Before making an access request to system 65 in section 7, above. Thus, when the user's smart card 
resource Ws, the workstation W2 forwards a copy of receives the return message, it decodes the message 
both its own delegation certificate Dl and the worksta- using the workstation's public key and verifies that the 

tion's delegation certificate D2. response to the nonce challenge was correct. At this 
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point the user's smart card knows the new public key important in an environment where the entity is a "pub- 

with which the workstation is communicating. lie workstation" no longer under control of the user 

FIGS. 7A through 7C illustrate the use of such ses- once he leaves the vicinity, 
sion keys. In FIG. 7A, the symbol Kl represents the ( c ) Generation of Session Keys. Creating a new pub- 
new delegation key whose private key WldelS is held J lie/private key pair is a very computer intensive opera- 
by workstation Wl. After workstation Wl determines tion that may be improved in one or more of several 
that the user P can access the workstation, it sends a ways. 

message signed with workstation Wl's normal private l„ "pre-generation," a workstation can create several 

key WIS. This signed message contains the number session keys ahead of time as a background process and 

generated by the user's smart card SC in the nonce 10 have several key pairs available for when a user wishes 

challenge, as well as the new public delegation key t0 j 0 g m , 

W V 1 ' 1 /' . , . . " Ke y P^r economy" can be pursued by instructing 

As dep.cted m FIGS. 7B and 7C. the smart card SC, tne workstation to save a session key pair if no external 

already knowing workstation Wl's normal public key requests are ^ ^ ^ ^ md Meie the ^ 

(from the certificates provided by the workstation), can 15 mitial deJegation certificate. This operation is premised 

25S°£ • i Wa$ enC °? ? workstation on ^ fact tha , if the workstat ion ^ nude „ 0 external 

Wl. If, after decoding the message, the coded number X „ tSi then the delegation certificate has not 

matches the number generated in the nonce, it follows ^ t ransmi , ted outside the workstation, and erasing it 

££2lS2 "S^JS ZZSTtXZ « — * destruction. 



d who it says it is. The smart card SC may then 2 



. . . ., Simplification of session delegation can be sought: if 

sign a delegation certificate Dl' that says the entity the idc P mi of the workstation ? not needed t0 f m le . 

^authorized to speak for P. This is illustrated m FIG. gation ^ ^ simpljfied by (1) leaving QM ^ identity 

Similarly, if a second workstation is needed to com- 25 ° f the m the delegation certificates (e.g., 

plete the chain, a second new delegation pair K2 having « certificate say that "P authorizes anyone hav- 

(W2delS, W2delP) is generated by W2, and another H* P™" to w *delP to ? wk . on 

delegation certificate D2' is generated and signed with his be^lf '; or (2) not generating any additional session 

the new private delegation key of workstation Wl This k u evs afte , r the first (e.g., Wl simply transmits a copy of 

second delegation certificate D2' says that "the entity 30 J? users delegation certificate and the new public 

possessing the private key corresponding to public key delegation key to W2). For the embodiments using 

WldelP says that the entity possessing the private key alternative number 2, a privacy-protected channel must 

that corresponds to the public key WMelP may speak exist between Wl and W2. 

on its behalf." 9 ACCESS TO OBJECTS 

The delegation certificates Dl and D2 continue to 35 
include the workstation names Wl and W2 because As discussed above, an "object" is something in the 
those names are needed for lookup in the access control s y s,em t0 wh 'ch access is controlled. Access is con- 
lists (discussed below). trolled for a given object by granting or denying a 

The system resource Ws only accepts requests from principal's access to that object in accordance to the 

W2 on behalf of the user P if the requests are signed by 40 security model to be implemented, 

the new delegation key W2delS. This is because the Access contro1 decisions for each object are made 

delegation certificate D2 (from Wl to W2) does not locally by the reference monitor controlling that object 

totally delegate authority to workstation W2. The dele- °" the basis of specific access control data for that ob- 

gation certificate D2 only delegates authority as 16ng as ject. The specific access control data for each object are 

workstation W2 possess the secret key W2delS. 45 preferably stored with that object in the form of access 

In this embodiment of the invention, when the user P control lists (ACL), 

wishes to end a session he can instruct workstation Wl Generally speaking, when a principal requests access 

to erase the new private delegation key, WldelS. Be- to an object, that object's reference monitor attempts to 

cause the private key WldelS was held secret by work- locate the requesting principal's identity in the ACL for 

station Wl, the delegation chain is completely de- 50 that object. If the principal's identity is found, the ac- 

stroyed, because any principal that attempts to use the cess requested by the principal is compared to the ac- 
delegation certificate must demonstrate knowledge of cess allowed by the ACL entry. If the ACL entry indi- 

the secret key WldelS. Since there was only one copy cates that the access requested is allowed, then access is 

of this secret key (and it has been destroyed), no one can granted; if the requested access is not allowed, or the 

use the delegation certificate Dl to make requests. 55 principal cannot be found in the ACL, then access is 

Thus, even if workstation Wl (or W2 for the second denied. 

tSS^jS^SL Z^J^S Control Lists (ACL) 

necessary to support the delegation certificate Dl (or (a) Generally. Generally speaking, an "access control 

D2) has been destroyed. 60 list" (ACL) is a date structure that associates access 

As will be noted, this embodiment removes the need rights with sets of named principals. In its most basic 

to place extended trust in workstation Wl. In the pres- sense, an ACL may comprise a list of the names of the 

ent invention, workstation Wl needs only to be trusted principals which are allowed access to the object associ- 

to operate faithfully while the user is present, and to ated with that ACL, and an indication of the access 

erase the private key WldelS when the user logs out. 65 rights that are allowed. 

Trusting an entity to delete a single key at a certain time The creation of ACLs is a matter of routine work for 

requires less trust than trusting that an entity never be a person skilled in the art having the benefit of this 

compromised after a delegation. This is particularly disclosure. Past examples of ACLs include the SOGW 
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protection mask, the ACL in VMS, and the OGW file „, A 

protection modes in Unix. 9 - 2 - Access-Right Expressions and Constructs 

The access rights for a particular principal are the An access right expression specifies the specific ac- 

operations that a reference monitor will allow that prin- cess rights granted to a set of principals (or groups), 

cipal to perform on its object. Traditional access rights 5 This represents the ultimate purpose of the ACL and is 

are read, write, delete, etc. therefore discussed in detail here. 

In accordance with the present invention, access FIG. 10 illustrates the most basic access right expres- 

rights include any request that can be implemented by sion. In that figure, a principal-set 80 is granted the 

an object. Thus access rights include such things as the specific access-right 81 listed. The symbol => repre- 

ability to make requests of a file service, to join a clus- 10 sents such an granting of access rights. As will be dis- 

ter, and to change a process's priority. cussed below, a principal-set is a grouping of principals 

The access rights are generally associated with prin- by either name or group, 

cipals through the use of "access right expressions." FIG. 10 also illustrates a second form for access right 

Such access right expressions will be discussed in detail expression. As illustrated, symbol > indicates that the 

below. 15 principal-set 80 may be delegated the specific access- 

(b) The ACL as an Object. Because ACLs may need right 81'. As discussed below, a principal may delegate 
to be read or changed, they themselves fall within the authority to other principals to act on his behalf. An 
definition of "objects." As such, each ACL itself has an expression such as the one illustrated in FIG. 10 pre- 
ACL that specifies who can read or modify it. In order vents allowing an untrustworthy system from being 
to avoid infinite regress, the second level ACL (i.e., the 0 delegated too much authority. Delegation is discussed 
ACL's ACL) may be its own ACL. Thus, in addition to in detail above. 

the access rights discussed above, the ACL for an ob- FIG. 10 also illustrates a third form that an access 

ject may include an entry indicating that the principal right expression may take. In this expression, the princi- 

can read or write to that ACL. pal-set 82 is listed with no access rights. The listing of a 

It may be desirable to grant read access to an ACL to principal-set with no access rights implies that the speci- 

those principals that are able to read the corresponding fied principals are granted all possible access rights, 

object, and write access to those having write access to The principal-sets discussed above may comprise a 

the object. Such an embodiment is illustrated in FIG. 8. listing of principal names, a group, or a construct of 

In that figure an object 60 (a file ALPHA) is illustrated 3Q principals and/or groups. For purposes of this specifica- 

with its ACL 62. As shown, the principal JOHN has tion, the term "principal-set" will refer to a list of princi- 

read access to the object 60 and principal ALICE has pal names, while the term "NAME" will refer to a 

read access to both the ACL 62 and the object 60. An group. 

arrow 65 indicates that the ACL 64 is its own ACL. When a listing of principal-set comprises a listing of 

(c) Authentication and Principal Storage. To mediate 35 principals, each of the listed principals is granted the 
access, the reference monitor for an object must inter- access rights indicated by the access right expression, 
pret that object's ACL. For security reasons, each prin- For example, in FIG. 11, principals BOB, JOHN, and 
cipal or group named in the ACL should be authenti- CARL are all given the access right S, as are all of the 
cated by the reference monitor. (The authentication principals in group ONE. 

process is discussed above) ^ Four principal-set constructs are utilized in the em- 

(d) ACL Structure. As discussed above, the ACL is a bodiment illustrated here. Each will be discussed sepa- 
structure for associating access rights with a set (or sets) rately. 

of principals. A system in accordance with the present 00 Principal-set OR Principal-Set: The UNION of 

invention uses a variety of operators to construct the Groups. The construct A OR B, where A and B are 

sets and to associate the access rights. These operators 45 principal -sets, means that A and B are both members of 

are discussed in detail below. Development of hardware the set. In other words, to be allowed access, the acces- 

(or software) implementations of the disclosed opera- sor must be either A or B. The following equation illus- 

tions is routine work for a person skilled in the art hav- trates this construct, 
ing the benefit of this disclosure. 

The access rights granted to a particular entry in a 50 a or b=>s 

group may be controlled through the use of access right . 

expressions. Thus, a group may sometimes be thought pnnclp • seI ->» ccess - n « 1 

°WhenTn n ACL deludes a group as an entry, the con- . J he ^ove caption indicates that both A and B have 

tents of that group in effect become part of that ACL. 55 "* ht s for *J«t controlled by he ACL 

As FIG. 9A illustrates, an ACL 70 may contain several ^fi^rfnT I £7™^ 

principal entnes 72, as well as the access rights associ- ^.f ' V"*" A ° " ? , * 

ated with those entries 74. The ACL 70 may also con- udon ofA and B P™« P al-set comprises the 

tain group entries, for example group TEACHERS 75. t,^„:„„i '♦ A xir» iw.. . -m. , K rr Cn 

in the ACL 70) will be allowed access to the object ^C™^ ^"iV^ ™f Se ? ,lon of set and 
controlled by ACL 70 because BOB is found in group 65 * The foU ° Wlng pr0VldeS *" " ample - 
TEACHERS. Because ACL 70 grants only delete-type A AND B = > s 
access to TEACHERS, and therefore to BOB, he can- 
not write to the object controlled by ACL 70. P rincipai-set=> access-right 
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(d) Principal-set-C(name): Group EXCLUSION. 
In order to prevent the ACL from improperly grant- The fourth construct allows for traditional subtraction, 
ing access to either A or B, access should be denied A— C(B) includes all of the members of A except those 
unless A and B are both acting in concert. Only then who are also members of B. In this construct B does not 
can the ACL be sure that the entity requesting access to 5 have to be a subgroup of A. 

the object (having the authority of both A and B) has Generally, this construct should not be used where 
the access right S. the reference monitor for an object does not have guar- 

(c) Principal-set— name: Group EXCLUSION in antecd access to the entire definition of a subtracted 
Hierarchical Groups. In the third construct, principals group. Such a case may occur where the subtracted 
or groups being subtracted out of the principal-set must 10 group (B) includes subgroups that are not accessible by 
be members of the groups to the left of the "— ". Thus, the reference monitor. If the reference monitor cannot 
before this construct may be applied to a principal-set expand the subtracted group through all its subgroups, 
(or group) it must be determined that the group on the there is a danger that improper access will be allowed, 
right is a subgroup of the principal-set (group) on the To avoid this situation, the reference monitor may deny 
left. This construct means that the members of the final 15 access in all such situations. 

principal-set comprise all the members of the initial Q , n . „•„._.. . . _ T 

principal-set that do not derive their membership by 91 ^m^uni I*"*** » « 

being members in the named subgroup. The ACL may be used to restrict access to a user 

The following provides an example of this construct: under certain circumstances. 

20 (a) Limiting Access to Specified Computer Systems. 
A-B=>s In a distributed system, each system on the network 

may not be equally trusted. In these situations it may be 
principi!-sei->»ecesj-right desirable to limit a users access to certain system re- 

sources depending on which system he is operating 
(B is a subgroup of A) 25 from. 

Thus, the present interpretation of this construct For example, one workstation may be highly secure, 
yield a final principal-set which is equal to all of the while another is relatively unprotected. In this example, 
principals in A which do not owe their existence in A to it may be desirable to prevent a used from gaining ac- 
being in subgroup B. When determining whether a cess to highly sensitive resources through the unpro- 
principal is a member of A-B all of the subgroups of A 30 tected workstation, but to allow the same user access 
except B should be searched for that principal, i.e., when operating from the protected system. Thus, the 
A-B means skip subgroup B when searching the sub- access rights of the user depend on the system within 
groups of A. which he is operating. 

In the context of the present invention this construct In order to implement this security policy, a new 
provides several advantages. First, as discussed above, a 35 principal construct ON may be introduced. Thus, when 
misbehaving or compromised group may assert that a a user U, makes a request through a workstation W, the 
particular principal is not a member of a group (i.e., it is workstation makes a request to a system resource (e.g., 
not possible to reliably assert group non-membership). a server) as U ON W. This request is allowed by the 

Under traditional interpretations of A— B (i.e., all of user delegating to the workstation authority to make 
the members of A except those that are members of B) 40 requests in the form of "U ON W says S". (Delegation 
an improper granting of access rights may result. For is discussed in section 8, above). This request is inter- 
example, assume group A contains subgroup B, and preted as "W says U says S, and W is authorized to 
principal ALICE is a member of subgroup B. (This speak on U's behalf (evidenced by the delegation certifi- 
example is illustrated in FIG. 12). If subgroup B is com- cate)." 

promised, it may assert that ALICE is not a member of 45 When such a request is made, the system resource's 
that subgroup. The traditional interpretation of (object's) reference monitor checks the ACL for that 
A - B = > S would improperly grant ALICE access system. If U ON W is found in the ACL, and the desired 
right S since she in not found in subgroup B. access S is allowed, then U, through W, is allowed 

Under the construct of the present invention compro- access to the resource, 
mise of subgroup B cannot affect the granting of access 50 If delegation is cascaded through multiple systems, 
right S. This is because the data from subgroup B is all the systems that are included in the compound prin- 
simply not used in interpreting this construct; thus, cipal and must appear in the ACL entry. For example, 
withholding date that will not be used cannot make any if U delegates to workstation Wl, which delegates to 
difference. workstation W2, which makes a request of a system 

A second advantage of the present construct is that 55 resource, the ACL for that resource must allow the 
the broadest possible access is allowed for the principal requested access for "U ON Wl ON W2." Because the 
being searched by the ACL. For example assume the degree of security for a chain is equivalent to the degree 
groups and subgroups illustrated in FIG. 12. As may be of security possessed by the least secure member, the 
seen, principal BOB is a member of both subgroups B order of delegation is usually not important. Thus, "U 
and C. Under the traditional interpretation of 60 ON Wl ON W2" may be considered equivalent to "U 
A-B = >S, BOB would be denied access right S be- ON W2 ON Wl." 

cause he is a member of group B. While single workstations were used in the above 

Under the method of interpretation of the present examples, any of the principals in the ACL may be 
invention, however, BOB would be granted the access groups. For example, an ACL having a principal-set 
right because his membership in group A is not solely 65 entry of "U ON SECURE" would only allow access to 
dependant on his membership is subgroup B. Thus in user U if logged into any of the workstations in group 
the present invention subtraction of one group does not SECURE. If this construct is used, and a user is to be 
affect other group memberships. allowed access to a system regardless of the delegated 
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systems involved, the construct "U ON*" may be used. . , . _ . , , ,,. 

Such access right expressions may allow access to U 9A Access Lists and ^ Grou P 85 an ° b J ect 

regardless of the chain of delegation. The group (used here to mean a simple or complex 

(b) Limiting Delegated Access Rights. In certain list of group member identities) may itself be treated as 

situations, a user with a high degree of trust may wish to 5 an object and as such has its own access controls (i.e., its 

use a computer system, but not to trust that system with own ACL). The group's ACL thus controls who may 

all his capabilities. In other words, the user may wish to see the contents of the group and who may affect its 

delegate to a system only a subset of his total access membership. 

rights. Groups may be stored in any globally accessible stor- 
To allow the user to limit his delegated powers, it is 10 age device (i.e., a storage device available to all on the 
convenient to introduce the concept of "roles." A role network). Generally, any storage device that supports 
may be a certain group of access rights which the user groups should allow for the stored groups to be created, 
(operating in that role) may exercise. For example, a deleted, read, displayed, tested, and modified. Perfor- 
user operating in the role of STUDENT may be al- ^ance of the above listed operations should be limited 
lowed to read certain limited files. The same user, oper- " «° < h °« principals having the necessary access nghts 
ating in the role of PROFESSOR, may be able not only (as indicated by the group s ACL), 
to read these files, but to modify their contents as well. . ™ e . above de ? cnbed embodiments of the present 
When the user U delegates to a workstation W, he mvent '? n « t0 * considered as illustrative, and not 
can sign a delegation certificate in the form of "W is ,„ restrictive. For example, the functions described above 
authorized to speak for U AS R." In this manner, the 20 fflav be equivalent y implemented in hardware or soft- 
workstation W will only be allowed to invoke the ac- ware ■» c0 " ve !" ent ' !t W 8PPare '° ^ . 
cess rights that U has in role R. Any request from the that many variations are possible ^ithout 
workstation W to a system resource will be in the form g« J" mventI0n ' wh,ch ,s set forth ,n the 
of "(U AS R) ON W says . . . ." To gain access to the wteHs clateied is 

system, the ACL for the requested resource must con- , n distrjbute(J ' meth(jd for defmi ^ 

£™ Z ^ 8 m IT 3 f T SS t0 J\ t AS access of a user on a specified workstation to a system 

R) ON W ; access shou Id I be denied if the workstaUon resource havi m access , jst , he method CQm . 

only includes U or "U ON W" ....='- 



The ACL for a resource may be simplified if a group 3Q 
is defined to represent the role. If this is done the ACL 
entry may be expressed as "R ON W." The reference 
monitor for the resource will then verify that U is a 
member of R, and allow the requested access if R is 
listed on the ACL. 35 

(c) Protected Subsystems. Several security systems 
utilize the notion of a "protected subsystem." A pro- 
tected subsystem is a particular piece of software, some- 
times in combination with a particular user. As dis- 
cussed above, the degree of trust granted to computer ^ 
systems in the network may vary. Thus, when consider- 
ing a protected subsystem, the computer system execut- 
ing the particular software is an important consider- 
ation, since correct execution depends on the trustwor- 
thiness of the computer and its operating system. 45 

As discussed above, a workstation is authenticated by 
possession of a private key. When a protected subsys- 
tem Q is running on the workstation, the workstation W 
may authenticate itself, and assert requests as "W AS 
Q." 50 

When the workstation makes a request, it should do 
so as both the protected subsystem, and the user from 
whom the request is made. For example, if a user U runs 
a protected subsystem Q on a workstation W, and a 
request is made of the server, the request should be 55 
made in the form of (W AS Q) WITH U says . . . this 
request essentially indicates that "both U ON W AND 
W AS Q say . . . ." This request will be granted if the 
ACL for the requested system has a listing for "(W AS 
Q) WITH U" and the reference monitor for the re- 60 

(1) authenticate both U and W; and 

(2) verify the certificate of delegation by U to W. 

As discussed above in regards to roles, the ACL may 
be simplified to "Q WITH U" by defining a group Q 65 
consisting of all the systems which are authorized to run 
the particular protected subsystem. Thus "Q WITH U" 
is equivalent to "Q AND (U ON Q)." 



prising the steps of: 

(a) generating an access code indicating that the user 
has delegated access authority to the specified 
workstation; and 

(b) allowing the specified workstation to have access 
to the system resource when all of the following 
conditions (l)-(3) are met: 

(1) the system resource receives an access request 
from the specified workstation; 

(2) the access control list for the system resource 
has an entry allowing the specified workstation 
to have access to the system resource if the user 
has delegated access authority to the specified 
workstation; and 

(3) the system resource determines that the user has 
delegated access authority to the specified work- 

2. In a distributed system, a method for defining the 
access privileges of a workstation to a system resource 
for an identified user having specified access privileges, 
the method comprising the steps of: 

(a) generating a role code indicating a subset of the 
user's access privileges to be delegated to the 
workstation; 

(b) generating an access code representing the user 
acting according to the role code assigned in step 
(a); 

(c) delegating access privileges to the workstation on 
the basis of the access code generated in step (b); 

(d) generating a second access code representing the 
workstation acting with the access privileges dele- 
gated in step (c); and 

(e) allowing the workstation access to the system 
resource when the code generated in step (d) indi- 
cates that user is acting according to the role code 
assigned in step (a) and the user acting according to 
that role code has delegated authority to the work- 
station. 

3. In a distributed system, a method for defining ac- 
cess for a user to a system resource, the user having 
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specified access privileges and running a specified com- 
puter program on a specified workstation, the specified 
workstation having certain access privileges, the 
method comprising the steps of: 

(a) generating a role code representing the execution 5 
of the specific computer program on that worksta- 

(b) generating an access code representing the user 
acting in conjunction with the assigned role code; 
and 10 

(c) permitting the user to have access to the system 
resource when the access code indicates that the 
workstation is executing the specified computer 
program and the user is acting in conjunction with 
the execution of the specified computer program. IS 

4. In a distributed system, a method for defining the 
access of a group's members on a specified workstation 
to a system resource, the method comprising the steps 
of: 

(a) generating an access code representing the group 20 
on the specific workstation; and 

(b) allowing the specific workstation access to the 
system resource whenever the access code indi- 
cates that a member of the group has delegated its 
access privileges to the specific workstation. 25 

5. In a distributed system, a method for defining the 
access rights of a workstation to a system resource 
given the identity of a particular group having certain 
access privileges, the method comprising the steps of: 

(a) generating a role code indicating a subset of the 30 
group's access privileges to be delegated to the 
workstation; 

(b) generating an access code representing the group 
acting in the role represented by the role code; 

(c) delegating access privileges to the workstation on 35 
the basis of the generated access code; 

(d) generating a second access code representing the 
workstation acting with the access privileges dele- 
gated in step (c); and 

(e) allowing the workstation access to the system 40 
resource whenever the second access code indi- 
cates that a member of the group, acting in the role 
assigned in step (a) has delegated its access, privi- 
leges to the workstation. 

6. In a distributed system, a method for defining ac- 45 
cess for a group member to a system resource, the group 



member having certain access privileges and running a 
specified computer program on a specified workstation, 
the workstation having certain access privileges, the 
method comprising the steps of: 

(a) generating a role code representing the execution 
of the specific piece of software on that worksta- 
tion; 

(b) generating an access code representing the group 
acting in conjunction with the assigned role repre- 
sented by the role code; and 

(c) allowing the workstation access to the system 
resource when the access code indicates that it is 
executing the specified computer program and a 
member of the group is acting in conjunction with 
the execution of the specified computer program. 

7. In a distributed system, a method for defining ac- 
cess for a user running a specific piece of software on a 
specific workstation to a system resource, the method 
comprising the steps of: 

(a) generating a role code representing the execution 
of the specific piece of software on that worksta- 

(b) generating a first access code representing the 
workstation acting in the role code assigned in step 

(a); 

(c) generating a second access code representing the 
user acting in concert with the workstation and 
software as defined by the first access code; and 

(d) defining access to the system resource on the basis 
of the second access code. 

8. In a distributed system, a method for defining ac- 
cess for a group member running a specific piece of 
software on a specific workstation to a system resource, 
the method comprising the steps of: 

(a) generating a role code representing the execution 
of the specific piece of software on that worksta- 

(b) generating a first access code representing the 
workstation acting in the role code assigned in step 
(a); 

(c) generating a second access code representing the 
group acting in concert with the workstation and 
software as defined by the first access code; and 

(d) defining access to the system resource on the basis 
of the second access code. 
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IX. RELATED PROCEEDINGS APPENDIX 

There are no related proceedings. 



